Unable to shake off malware: antit.exe

[Vlaew]

Hello guys, I just became aware of this when friends on my msn messenger list (using 2009 version) told me I started sending them a spam message.

The message was "Hot! Hot! (website was isexsexsex)" obviously it was an attack site, but what puzzled me was HOW I was sending it.

It happens when I sign in, it doesn't happen anytime I'm offline.

Looking at my process list I find a process called "antit.exe" that I didn't recognize as anything and found out from google it was malware, so I delete the jerk in safe mode (and the registries it has) only to find it come back 5 minutes later on startup. (At one point I saw 0.exe pop up on the process list, then disappear, leaving antit.exe running)

And the trick to finding antit.exe (for some reason there is no 0.exe in sys) is to go to folder options and to see hidden SYSTEM files. It's being treated as a system file, which makes me wonder if that's why Spybot resident doesn't complain in paranoid mode because it just lets the thing install itself.

Spybot doesn't have anything like this in its database, it's useless. I also tried AVG, it recognizes the antit.dll as a threat and removes it, but thats about it, next start up it will only come back. Even if you kill the process you have to delete the files in safe mode because it says its still being used.

I checked some database sites, apparently this thing is fairly new, hence not showing up on most scanners or programs, and when they do, they just delete the dll and exe which doesn't solve the problem.

Another thing is apparently I spam the message on msn even when the antit.exe ISN'T running!

I tried almost all the resources I can get, now I need professional help. Please help me out? Thank you in advance.

I completed the 8 steps without any problems except for the fact the thing keeps coming back. SUPERAntiSpyware was able to find more then the others did, but it still came back..

 

[nitro912gr]

I have the same problem! I was trying to get rid of this malware with everything. I did, for a short time at least.

Last night I though I was clear, I scanned in safe mode with spybot, adaware, and malwarebytes. The fist 2 failed me, but the malwarebytes found the antit problem and the registry keys and some folders and files in my program files (it make me wonder how it is possible, since I took a look myself and couldn't locate the folder, with the folder options to see everything).

Anyway I removed the infections with the malwarebytes, the log reported that everything was successful and I continue working on my pc till early morning. Then I turned it off and went to sleep. So today, full of confident I started up the pc, and went to check my mails and start working (I'm in Graphics Design college, and I have exams these days, you can get an idea of the stress here) and here we go again. My contacts in msn informs me that I spam links to them, again.

I did a scan with malwarebytes again, removed it again, and now it appeared again. I did another scan and guess what, here it is again.

Any solution?

(forgot to mention I work on Windows XP SP3 greek)


edit: I noticed the quick appear of 0.exe before the antit.exe appear in processes again.

 

[touch]

nitro912gr ->

Please run the steps in this guide:

8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Post attached log´s from:

Malwarebyte
Superantispyware
Hijackthis

In your own new topic


Vlaew -->>>

Please download Combofix:
ComboFix
And save to the desktop.

Close all other browser windows.

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.

 

[booom3]

I know I'm not the same person, but I have the exact same problem.

 

[kritius]

Start your own thread then!

 

[Vlaew]

Did it

Did the combofix.exe

 

[ThexDarksider]

This is a new worm (or a new variant of an existing worm, which is more likely) that spreads through MSN (of course, only if someone clicks that link). You should upload that antit.exe file to AV vendors so they can update their signature files.

And the 0.exe is probably a dropper (it's run before antit.exe, and it creates it at that moment).

If you want to make sure again that it's only that .exe's fault, and not the account's, try to log in from another computer (or another OS on your computer, such as a distro of Linux, if available).

If nothing else, upload that antit.exe and the 0.exe if you find it in a password-protected RAR archive to a file sharing service and PM me the link + the password and I'll run it sandboxed and try to observe its behavior.

Good luck solving this problem!
-- ThexDarksider

P.S. I found this thread on Google by searching for 'HOT!HOT! isexsexsex' because I got the same spam message from one of my contacts today (although I believe he was offline; this definitely needs further investigation!)

 

[Bobbye]

This thread is for the use of Vlaew only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Virus and Malware Removal Forum.


Malware cleaning is customized for each individual system.

 

[Vlaew]

SuperAntiSpyware just found something called pve.exe in windows, it deleted it and so far that exe hasn't come back yet.

I think antit is now downloading stuff now

 

[Vlaew]

Bump for great justice!

I think I killed it!

Here is how I did it. (This doesn't mean it might be the SAME solution to YOUR problem because there are variants to this "virut", I'm not an expert, but I try, don't blame me if you do the same thing I did and screw up.) But this is how I did it to explain to the moderators:

I disabled my wireless. Then did scans from SAS and Malwarebites.
I downloaded F-Secure Anti-Virus, because their database was more up to date with this mofo and plus their trial has the monitor of any changes to the system. So after doing a bunch of scans, I booted in safe mode and repeated just so there wasn't anything else running. Then I booted in normal mode with the internet off still, and then it happened...

I finally caught the "0.exe" that was responsible for this, because it was caught by the monitor scanner thingy that tried to launch cmd.exe, It asked if I should let it run, course I didn't, but it didn't bother to delete it either so I had to go to the source (It's in common files in my programs on C, not hidden or system tagged.) and I deleted it. I rebooted and did some final scans that reported clean and then enabled my wireless and waited..and waited...and it did NOT show up again. I logged on to msn and so far none of my friends said I spammed them anything.

Awesome. I'm ganna keep the F-Secure thing running to make sure it doesn't come back again through some exploit. Just look for 0.exe.BAT <---hah a bat

I had no sleep and I am wired up on skittles.

Here is a HJT log if you want.

Spread the word about that 0.exe.bat, I like to hit malware coders where it counts.

 

[Bobbye]

Vlaew,

Please read this: Credit to kritius:

P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitComet for ClickCapture, AddAllLink, AddVideo

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs (http://spywarewarrior.com/viewtopic.php?t=26216) where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here (http://p2p.malwareremoval.com/)

I would recommend that you uninstall BitComet, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player:

To remove, find and remove Viewpoint Media Player

Go to Start > Run and copy/paste or type: taskmgr

• Under the Processes tab find the following tasks or processes:
• ViewpointService.exe
• ViewMgr.exe
• Highlight and click "End Process".
• Exit Task Manager.
  
  Click on Start > Run and type: services.msc> OK
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.

Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist: Open Windows Explorer> Programs:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

 

[Vlaew]

Thank you Bobbye, I use bitcomet as a downloader and it was marked as clean by one of the links you gave me. I used to have frostwire and before that, bearshare, but bearshare for some reason couldn't connect to the host anymore (I think they died) and frostwire had more files pretending to be what they are then real files. Anyway, I'm sticking with the comet because it was one of the safer apps from the list.

But thank you for the viewpoint guide, I do have VLC player. <3

 

[Bobbye]

I use bitcomet as a downloader and it was marked as clean by one of the links you gave me.

Please tell me what that link was. I would never knowingly pass on anything that said BitComet is clean.

And please remember, when you share files, you get the bad with what you may think if the good.

 

[kritius]

Its in the MalwareRemoval link,

They went through a long stage of testing the various programs and advising people which ones to use. They have since changed policy and now instruct users to remove all programs prior to any fixes.

(List last updated 19 December 2008)

 

[touch]

Vlaew - I think we need a fresh combolog now

 

[Vlaew]

Here it is, it's odd because it said it removed antit.exe and dll and the folder again but it was non existent in the first place, AND there is no 0.exe.bat around to run it up either.

So...should I remove bitcomet? What's a safer app?

 

[ThexDarksider]

I don't think BitComet is a good idea, just as LimeWire and Kazaa.

Here's a comparison of most major BitTorrent clients.

Also, keep in mind that much content available for sharing through torrents is illegal, so be careful what you're downloading.

Cheers

 

[Bobbye]

"1863:TCP"= 1863:TCP:Bearshare

None of these is safe. You have a port allowing Bearshare traffic and you're using BitCommet. Please read the information in the P2P Warning.

 

[Vlaew]

I used to use bearshare.

 

[touch]

Open notepad and copy/paste the text in the codebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
c:\documents and settings\Vlaew\Application Data\Mozilla\Firefox\Profiles\r3ck0uhq.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
Folder::
c:\program files\BitComet
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\MicPhone
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"shv"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1863:TCP"=-

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[Vlaew]

I did what you told me touch, unfortunately when it restarted and was preparing a log I got a blue screen of a memory dump and it restarted again. (I usually get it when the computer gets stressed out from doing so much ****. It's like 5 years old)

I also uninstalled BitComet before the combofix thing, which is a really interesting program.

Want me to run combofix again or is that unhealthy?

 

[kritius]

Get the log file, should be at c:\combofix.txt.

No need to run it again for now.

 

[Vlaew]

The log isn't there. Hence why I asked.