TechSpot

Bogus antispyware

By pbjam
Mar 11, 2008
  1. hey all, i don't know what i have but i'll give you some symptoms. error cleaner, privacy protector and spyware & malware remover(bogus) are on my desktop, popups with bogus threat alerts, explorer.exe has 99% cpu usage in task manager, ie redirect is a strange website, norton internet security detects "tmp12345.exe" trying to connect to server at x.x.x.x, it also stops multiple attempts to change your homepage. I ran all the prelim scans, i think smit fraud deleted a few things, like zlob. downloader.rid, win32.trojan.killproc. there are somethings i don't recognize, mdXiXiob.exe, syntpenh.exe, csrss.exe, ccevtmgr,rdl rolex, toolbar etlrlws in the log files. avg didn't save a log, my bad. thanks for any help.
     

    Attached Files:

  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I hate to give bad news, but you are infected with a back door Trojan as well as many other infections. Please read this topic http://www.techspot.com/vb/topic65943.html

    If you do decide to attempt cleaning rather than a reformat, do understand that although we may be able to remove all known visible malware, we cannot guarantee that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we guarantee to repair the damages it may possibly have caused to vital system files.

    If you decide to clean your system

    First go to Start -> Control Panel -> Add/Remove Programs and uninstall the following:
    MyGeek.CPVFeed
    ---------------------------------------------------------------------------------------------------------

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
    ------------------------------------------------------------------------------------------------------

    :Run Kaspersky Online AV Scanner:

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
    ------------------------------------------------------------------------------------------------------------------------------------------------------------------
    You have a lot of infections so we are going to need to use a lot of different programs to remove them.

    I really need to see AVG log as well. I know this might take some time.
    AVG AntiSpyware
    • Launch AVG AntiSpyware
    • Click on the Update Icon at the top, then click Start Update in the left pane
    • After the update click on the Scanner Icon at the top, then select the settings tab, in the first section "How to act?" click on recommended actions and change it to delete.In the reports section make sure it is set to Automatically generate report after every scan
    • Click back to the Scan tab and select Complete System Scan
    • Finally, after the scan, select the Infections Icon at the top, click Select All at the bottom then Remove finally also at the bottom
     
  3. pbjam

    pbjam TS Rookie Topic Starter Posts: 17

    hi blind dragon, sorry it took so long, my computer is soo slow, i updated java and ran kaspersky, which said i have the " trojan.dropper.win32.agent.ftu" plus a few other things. i'll try to post the avg but i think it will take a long time. thanks for your time.
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Did you save the kaspersky log? I really need to see any log that is produced from anything that we do to be able to help you
     
  5. pbjam

    pbjam TS Rookie Topic Starter Posts: 17

    i think that is them, gotta get to j o b.
     

    Attached Files:

  6. tomrca

    tomrca TS Rookie Posts: 1,000

    info for blind dragon: C:\Program Files\Trend Micro\crusty.exe\HijackThis.exe
    he has only renamed the file and not hijackthis.exe
    (yep i spotted zlob to)
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I saw that the folder was renamed and not the file.

    Tom the one infection shows that it was first seen in the USA yesterday and not much info on it.
     
  8. pbjam

    pbjam TS Rookie Topic Starter Posts: 17

    windows update mal soft remover got something

    hi, little coincidence, windows update dl'd some stuff including a malicious software removal tool and it got something. "windows installer {424a1F8d...zip.dll" "windows installer {#####winwin.dll
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    can you please post a fresh Hijackthis log. I actually just found that earlier that it was in the update
     
  10. pbjam

    pbjam TS Rookie Topic Starter Posts: 17

    hi, since windows update thing, i rebooted, and they were back. i was just in the process of redoing the prelim scans again (just in case i did somethng like not rename the right thing.)this scan is just after panda ark, and no reboot. scan 2 is just after the windows msrt. ive been snooping around other websites, checking other logs with similiar recent symptoms and alot have 021 ssodl bokpkov.dll, 021 ssodl winwin.dll, 021 ssodl zip.dll, 021 ssodl altvxvm.dll. my scan doesn't have them after the smitfraud, but they come back after reboot. by the way, bd, you're very generous with your time , i wanted to say thanks again.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Did you run smitfraudfix from SafeMode?

    The reason I ask is because it appears you have real-time protection still enabled. It is supposed to be run from safe mode so that the protection doesn't interfere.

    Can you please turn off system restore
    1. Click Start, right-click My Computer, and then click Properties.
    2. In the System Properties dialog box, click the System Restore tab.
    3. Click to select the Turn off System Restore on all drives check box.
    4. Click OK.
    5. click Yes to confirm that you want to turn off System Restore:


    Run Smitfraudfix
    • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infected files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
     
  12. pbjam

    pbjam TS Rookie Topic Starter Posts: 17

    hey,here's the sff report, the computer works well no symptoms right after running that, i can actually use it normally. one thing, it doesn't say anything about checking if wininet.dll is infected, both times,,,meaning it wasn't? also at that point, the windows disk cleanup starts up in a little window, does its thing and then shuts down, i then click y to clean registry, which it does, then the main menu and i exit.just checking? i had to edit the file to fit.
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Good, yes the process you described is what is supposed to happen.

    When you say you had to edit the file to fit. Was anything left out?

    Run me a new Hijackthis log from Normal Mode and attach it here.
     
  14. pbjam

    pbjam TS Rookie Topic Starter Posts: 17

    hey, so far so good, no symptoms. some more info , the web sites that always pop up are safenavweb.com, winx defender, spywareisolator, the ie redirect site is dns4error.com,

    i think i found the install time in the combofix log. fmsxwqs.exe was installed at at time that fits. (in the section ...installed since this date)

    ssd found wild tangent, a registry key ...\microsoft\java vm\...
     
  15. kritius

    kritius TS Guru Posts: 2,084

    @Blind Dragon

    winx defender removed by Malwarebytes' Anti-Malware?
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    The combofix entries you talk about are all part of http://research.sunbelt-software.com/threatdisplay.aspx?threatid=123565

    Remove HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
      O2 - BHO: (no name) - {3437F77C-C103-47BF-BF1D-7EAFC400BE8F} - (no file)
      O3 - Toolbar: (no name) - {5CFAD498-79F2-4A82-91A3-4BADDE0281B1} - (no file)
      O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.
    --------------------------------------------------------------------------------------------------------
    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Now go to Start -> Search -> All Files and folder -> search for:
    fmsxwqs.exe
    etlrlws.dll
    altvxvm.dll
    bokpkov.dll

    If any are found let me know, we will remove in the next step

    Also let me know if purposely downloaded this movie C:\SPONGEBOB_SQUAREPANTS_ATLANTIS.ISO
    --------------------------------------------------------------------------------------------------------
    Lets add those sites to the blocked list.

    Open Internet Explorer

    click tools -> internet options.

    Click the Security tab
    Click on the Trusted sites icon.
    Click the sites button and remove all sites from the trusted zone by selecting
    them and clicking the remove button.
    Once done, click ok.

    Then, click the privacy tab and click the sites button. In the address bar type

    -any website that has been popping up
    -and www.cpvfeed.com

    Click ok, then ok again and close IE. reboot your system.
    --------------------------------------------------------------------------------------------------------

    Manually Clear Cache:

    • Open an Explorer folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of four or more folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
    • If desired, reset the folder options you changed in step 1.
    ----------------------------------------------------------------------------------------------------------

    Generate Uninstall List

    • 1. Start HijackThis
      2. Click on the Config button
      3. Click on the Misc Tools button
      4. Click on the Open Uninstall Manager button.
      5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
    --------------------------------------------------------------------------------------------------------------------------------------------------------------

    ***Attach this notepad file in your reply along with a fresh Hijackthis scan after completing the above.***
     
  17. pbjam

    pbjam TS Rookie Topic Starter Posts: 17

    hey, still pretty quiet, so far. yes the spongebob thing is for the kids, i only found fmsxwqs.exe @ c:\windows, no sites in trusted sites, i tried to clear the cache, but there was no address bar to add the \content\ie5,
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Let me know how your computer is running.

    Go to Start -> Control Panel -> Add/Remove Programs and uninstall

    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) SE Runtime Environment 6 Update 1

    In the top of windows explorer you should see something that looks similar to an address bar, or somewhere it should say the path that you took to get to the folder you are in
     
  19. pbjam

    pbjam TS Rookie Topic Starter Posts: 17

    ok, i deleted the java stuff, but i still cant clear the cache, the window i have doesnt have an address bar, when i click view\toolbars and check address bar, all i get is a little greyed out button that says "address" on the top right , if i add links it is a button that is greyed out. i powered down the laptop for a couple of hours and rebooted and the error cleaner stuff isnt on the desktop, explorer.exe isnt hogging99% of the cpu in task manager, its operating fairly smoothly, if i mistype a url i dont get that dns4error website, no popups no bogus alerts . the reason i mention the power down thing is because previously, when i did the prelim scan stuff and it seemed ok after a few reboots i turned it off for the night, the next day when i turned it on, all the junk was back. so far so good.

    done.
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Good, lets just clear it the old fashioned way, the folders will still be there.

    From internet explorer

    1. Click the "Tools" menu bar.
    2. Choose "Internet Options".
    3. On the "General" tab in the "Temporary Internet Files" section, click "Delete Files"
    This will delete all the files in your cache.
    4. Click "OK"
    I like to delete all offline files as well.
    5. On the "General" tab, click "Clear History".
    This will clear all the history items in your browser.
    6. When it asks "Delete all items in your History folder?", click "OK".
    7. Click "OK" to exit the properties window.
     
  21. pbjam

    pbjam TS Rookie Topic Starter Posts: 17

    i ran kaspersky and housecall again. kaspersky was clean but housecall said i had "adware_memwatcher" and "freeloader_roings.
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Well the good thing with housecall is that it will fix what it finds.

    Can you post a fresh Hijackthis log so I can look it through one more time.
     
  23. pbjam

    pbjam TS Rookie Topic Starter Posts: 17

    ok, i ran another online scan just for different look, bit defender, and it said something different, trojan.agent.agvx. it may be that i have too much anti-stuff on my comp and im getting false indications, but i have the feeling that it is still compromised, i may still reformat. having said that, i dont like to lose and that would be surrender. it still seems ok, no symptoms, but i dont like the thought of a keylogger, or password thing hiding in the background selling me out to abunch of sl(h)ackers. bd, thanks again for your time, i've noticed that you and your ts colleagues give a lot of your (volunteer?)time, sometimes to people that dont really appreciate it. anyways, if you think we're about done, i wanted you to know that i appreciate it.
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Let me see another combofix log from Normal Mode.

    Combofix
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • Type "1" (and Enter) to start the fix.
    • When the scan completes it will open a text window. Please attach that log back here.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  25. pbjam

    pbjam TS Rookie Topic Starter Posts: 17

    hey, here's the cf log.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...