Rogue.AntivirusSuite & Trojan.Fraudpack

[jj_analyst001]

Hi,

I'm really hoping someone can help. I noticed that my laptop (running Vista) began running really slowly, even mouse pointer movements became delayed as if the laptop was working extremely hard. I therefore ran Malwarebytes, and noticed i had been infected by Rogue.AntivirusSuite & Trojan.Fraudpack. I clicked on them to be fixed/removed, and consequently my Firefox no longer connected to the internet, i also noticed that if i closed Firefox, I'd still have Firefox.exe running as a process. Worse still if i ended the process, it would automatically appear again after a few seconds. I've removed Firefox using the control panel, and am able to connect using IE. I think I'm probably still infected, and am at a loss with what to do.

I've followed the instructions/steps given in this forum before posting however, the GMER Rootkit Scanner gives me the blue screen of death then restarts my laptop when i try to save the log file.

I've pasted my "DDS.txt" below, and can attach my "Attach.txt" if required. I would really, really appreciate it if someone could have a look and help me out.

Many Thanks.

DDS.txt below

DDS (Ver_10-03-17.01) - NTFSx86

Run by Jason Jansari at 12:23:08.92 on 25/06/2010

Internet Explorer: 8.0.6001.18928

Microsoft

[jj_analyst001]

DDS (Ver_10-03-17.01) - NTFSx86

Run by Jason Jansari at 12:23:08.92 on 25/06/2010

Internet Explorer: 8.0.6001.18928

Microsoft

[jj_analyst001]

Not sure why it's not letting me post my log either!?

[jj_analyst001]

As attached files..

Attach.txt

DDS.txt

[Kenny94]

H jj_analyst001i And Welcome to Malwarebytes!

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 6 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

1. rkill.exe
   
2. rkill.com
   
3. rkill.scr
   
4. rkill.pif
   
5. WiNlOgOn.exe
   
6. uSeRiNiT.exe
   

Please post the log in your next reply.

Once you've gotten one of them to run then try to immediately run the following:

Update Run Malwarebytes

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[jj_analyst001]

Hi Kenny, thank you very much for your assistance

I've ran rkill, and it produced this:

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Jason Jansari on 25/06/2010 at 14:59:21.

Processes terminated by Rkill or while it was running:

C:\Users\Jason Jansari\AppData\Local\TVersity\Media Server\MediaServer.exe

C:\Users\Jason Jansari\Downloads\rkill.exe

Rkill completed on 25/06/2010 at 14:59:27.

I then ran Malwarebytes and the log is below...

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4014

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18928

25/06/2010 15:07:13

mbam-log-2010-06-25 (15-07-13).txt

Scan type: Quick scan

Objects scanned: 113371

Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

It seems like there are no more infections, just to make you aware the previous time i ran it i got this...

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4014

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18928

25/06/2010 11:40:31

mbam-log-2010-06-25 (11-40-31).txt

Scan type: Quick scan

Objects scanned: 113409

Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxwtpade (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Kenny94]

Please run DDS again and post both logs please.

[jj_analyst001]

Here's the DDS.txt...

DDS (Ver_10-03-17.01) - NTFSx86

Run by Jason Jansari at 15:27:39.39 on 25/06/2010

Internet Explorer: 8.0.6001.18928

Microsoft

[jj_analyst001]

My apologies, both logs are attached, many thanks.

DDS.txt

Attach.txt

[Kenny94]

Note: You should remove LimeWire. P2P (peer-to-peer) using P2P software is very risky, because it makes you very susceptible to infection, attack, exposure of personal or company information. But this is up to you to remove LimeWire

There are some older versions of Java on your computer. These can be a source of infection.

[

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  
• Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 20 -
  
• Click the Download button to the right.
  
• Select the Windows platform from the dropdown menu.
  
• Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  
• Click on the link to download Windows Offline Installation and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u120 -windows-i586-p.exe to install the newest version.
  

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
    
  • Next, click on the Delete Files button
    
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
      

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_20 from Sun Microsystems Inc.

Next

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  
• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  
• Now click on Advanced Settings and select the following:
  

• • Scan for potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth Technology
    

[*]Now click on:

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on:

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[jj_analyst001]

Hi, I've followed all the steps you provided, and below is the log from ESET. Many thanks, J.

C:\Casino\William Hill Casino\_SetupCasino.exe probably a variant of Win32/Inject trojan

C:\Users\Jason Jansari\AppData\Local\lspool.exe a variant of Win32/Injector.CAZ trojan

C:\Users\Jason Jansari\Downloads\Programs\Cubase.Studio.4.rar probably a variant of Win32/Agent trojan

C:\Users\Jason Jansari\Downloads\Programs\MPC-6.4.9.exe Win32/Adware.Webdir application

C:\Users\Jason Jansari\Downloads\Programs\SetupCasino.exe probably a variant of Win32/Inject trojan

Operating memory a variant of Win32/Injector.CAZ trojan

[Kenny94]

Please download the OTM by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files
  C:\Casino\William Hill Casino\_SetupCasino.exe 
  C:\Users\Jason Jansari\AppData\Local\lspool.exe 
  C:\Users\Jason Jansari\Downloads\Programs\Cubase.Studio.4.rar 
  C:\Users\Jason Jansari\Downloads\Programs\MPC-6.4.9.exe 
  C:\Users\Jason Jansari\Downloads\Programs\SetupCasino.exe
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [EMPTYFLASH]
  [Reboot]

  
  

• Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  
• Click the red Moveit! button.
  
• A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  
• Close OTM
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

[jj_analyst001]

Hi, here are the log details from running OTM:

All processes killed

========== FILES ==========

C:\Casino\William Hill Casino\_SetupCasino.exe moved successfully.

C:\Users\Jason Jansari\AppData\Local\lspool.exe moved successfully.

C:\Users\Jason Jansari\Downloads\Programs\Cubase.Studio.4.rar moved successfully.

C:\Users\Jason Jansari\Downloads\Programs\MPC-6.4.9.exe moved successfully.

C:\Users\Jason Jansari\Downloads\Programs\SetupCasino.exe moved successfully.

========== COMMANDS ==========

C:\Windows\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Jason Jansari

->Temp folder emptied: 3783345 bytes

->Temporary Internet Files folder emptied: 6953675 bytes

->Java cache emptied: 3426278 bytes

->Flash cache emptied: 5749 bytes

User: Mcx1

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 41424 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 5254429 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 34093 bytes

%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 320 bytes

RecycleBin emptied: 1523814514 bytes

Total Files Cleaned = 1,472.00 mb

Restore point Set: OTM Restore Point

OTM by OldTimer - Version 3.1.12.2 log created on 06262010_101216

Files moved on Reboot...

C:\Users\Jason Jansari\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FXC3HCIN\index[5].htm moved successfully.

C:\Users\Jason Jansari\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0UZ7MKNO\iframe[1].htm moved successfully.

File C:\Windows\temp\mcmsc_HxP5It2OMqia37r not found!

File C:\Windows\temp\mcmsc_zuiHm8qN2AuDzhS not found!

File C:\Windows\temp\sqlite_c4b6LpXRcVPGYp7 not found!

File C:\Windows\temp\sqlite_CxiQrb0XMm9Inou not found!

File C:\Windows\temp\sqlite_LCxp63lykhZidnc not found!

File C:\Windows\temp\sqlite_zl5ZbXb4ZOSM3Zs not found!

Registry entries deleted on Reboot...

[Kenny94]

How are things now?

[jj_analyst001]

Thanks for your help, things seem a lot better now however, my laptop has started to disconnect itself from the internet every now and again which is strange?

I re ran the Malwarebytes scan and it shows no infections. As i removed Firefox from my programs earlier, I'm now going to go ahead and re-install it as it's my preffered browser of choice, unless you'd advise against this?

Many Thanks

[Kenny94]

I use Firefox. As for your laptop connection. You should check the settings. This batch file might help that was done by a member here.

Some final items:

Note: You will need to save any work before double clicking the fix.bat file because it will automatically restart your computer

• Please copy and paste the following text in the Code box exactly as written into notepad (not wordpad or any other text editor):
  

  @echo off
  ipconfig /release
  ipconfig /renew
  ipconfig /flushdns
  netsh winsock reset all
  netsh int ip reset all
  shutdown -r -t 10
  del /f /q %0

  
  

• Once you've done that click on File and select Save As...
  
• In the Save dialogue box click on the drop down menu next to Save as type and select All Files
  
• Name the file fix.bat (the .bat extension is very important)
  
• Save the file to your desktop and double click it to run it.
  
• Once it runs it will automatically restart your computer
  
• Once your computer boots again, check to see if your internet performance has improved
  

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Your Computer is Clean

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  
• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  
• Next press the Apply button and then the OK to exit the Internet Properties page.
  

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

My Blog Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!

It was a pleasure working with you.