The latest and greatest in Malware Removals



I have started referring to malware more and more lately because the term virus doesn’t exactly describe the pests I see on peoples machines and the terms spyware or adware aren’t doing justice to some of these pests either. (There are many pieces of what I would consider malware that do undesired things that protest vehemently (and technically correct) that they are not spyware.) So, the last week I’ve had my hands full with a machine on the bench that had a bug in it that was like a multi-headed hydra. It’s kind of like Night of the Living dead or one of those Friday the 13th movies… every time you think you’ve got the baddies licked they keep coming back. Hang on this could be a long post….

To start out with, this system was the motivation for the new pages here for both antivirus removal tools due to a crippled McAfee installation and the Malware, Virus and Spyware removal toolkit. This is something I had wanted to compile in one page for some time, but this system required just about every tool in the arsenal to make sure it was clean.

At the end of the day, gool.exe was one of the bugs, it’s an internet worm that goes back a few years… but there were also interesting screensavers, c:\windows\system32\blphccbpj0e95t.scr, c:\windows\system32\ebabdbfc.dll all probably random generated filenames, but there was also memsweep2, virtuomonde, xx.exe that ran as a service called sysinternals something called vnrblock another called sakora.exe or sakora and getpack21 or getpack. Some of these may have been legit programs, but this is what had missing links to startup after all the cleanups.

So, let me start at the beginning. I had been given this machine to work on at one of the businesses I visit. It was a home machine. Unfortunately it didn’t have the original Windows XP cd. It’s a Dell (under-memory at around 256MB) with XP SP2 (now SP3). If it had come with the install cd it would have certainly saved time to WIPE EVERYTHING and start from scratch because this system has sucked time like you wouldn’t believe.

First off I noticed that the web browser window closes when attempting to visit an antivirus site and download antivirus. So, I copy things over on a memory stick. The first virtual paratrooper installed is Malware Bytes Anti-malware, which begins to work it’s magic creating a virtual beachhead on the infested computer. What follows were it’s initial results:


Malwarebytes' Anti-Malware 1.28

Database version: 1234

Windows 5.1.2600 Service Pack 2

10/7/2008 12:30:58 AM

mbam_findings.txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 144494

Time elapsed: 2 hour(s), 5 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 8

Registry Keys Infected: 92

Registry Values Infected: 11

Registry Data Items Infected: 3

Folders Infected: 37

Files Infected: 190

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Program Files\Windows NT\hokenobal4444.dll (Trojan.Downloader) -> No action taken.

C:\Program Files\Windows NT\hokenobal83122.dll (Trojan.Downloader) -> No action taken.

C:\Program Files\Webtools\webtools.dll (Trojan.BHO) -> No action taken.

C:\Program Files\Common Files\lavuh.dll (Trojan.BHO) -> No action taken.

C:\Program Files\QdrDrive\QdrDrive20.dll (Trojan.Downloader) -> No action taken.

C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> No action taken.

C:\WINDOWS\system32\cunta.dll (Trojan.BHO) -> No action taken.

C:\Program Files\BChanger\bchanger.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98663e21-9cce-4cf6-863c-911a9523a66f} (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfdbxv (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{98663e21-9cce-4cf6-863c-911a9523a66f} (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{5fe161fb-22c5-48f8-b89e-673d66b2031b} (Trojan.Downloader) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fe161fb-22c5-48f8-b89e-673d66b2031b} (Trojan.Downloader) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{67030f93-79ca-44be-9ffa-39838bce0f9a} (Trojan.Downloader) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67030f93-79ca-44be-9ffa-39838bce0f9a} (Trojan.Downloader) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{37453522-a04e-45c8-74ab-5e382a0b7686} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37453522-a04e-45c8-74ab-5e382a0b7686} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{f7fced71-ac73-4131-8836-a13c0fb0385b} (Trojan.Downloader) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{180175c0-913e-451c-9419-2d5500368d43} (Trojan.Downloader) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{180175c0-913e-451c-9419-2d5500368d43} (Trojan.Downloader) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{8eeb2711-9d21-4f9c-99a1-b7fc5a8ca56a} (Trojan.Downloader) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8eeb2711-9d21-4f9c-99a1-b7fc5a8ca56a} (Trojan.Downloader) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> No action taken.

HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> No action taken.

HKEY_CLASSES_ROOT\tvengine.bho (Spyware.Hotbar) -> No action taken.

HKEY_CLASSES_ROOT\tvengine.bho.1 (Spyware.Hotbar) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{21eeb010-57f3-11dd-b116-dad055d89593} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{28621188-61c7-4829-a54b-3b73d055e982} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{3544568d-d586-4746-84b9-84c7706ad597} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{4f2a5211-53b6-4c07-9a6d-959bf989528f} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{535841d3-f4e1-4d3a-b506-cbc7f4e14913} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{58035c9e-9a00-42fe-8f38-b380704f8eba} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{5c6d3658-833b-4e33-8bf4-77c4173770cf} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{6d1595ce-b92a-47c5-9cc3-ae11e5a9aafa} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{83481be4-117a-4bb4-87b1-2b14528b64a7} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{878bf64d-da3b-417c-a957-19662d5331c3} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{8a5b98b5-6cc9-49d4-967c-bb6aaa04e7e4} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{8c55cf0f-fd4a-4b03-9365-906b0bfa86cc} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{b216377d-994c-4555-b44f-35f64d586833} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{c2105722-4ecc-48e8-866a-bf166ca967c4} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{c4585709-b01d-4ee5-9274-3e34ea56e4b8} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{cccc68a6-7114-423a-b9a5-7110eb925edd} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{e04407f5-f6b9-495d-a767-4d860e42dbe2} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{4b18dd50-c996-44fc-ac52-0fecff82ed58} (Spyware.Hotbar) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{E4D71E45-94E1-A19A-A939-B7D2A756F719} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{a184258a-57e9-11dd-b273-f06255d89593} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{933ed98e-57e9-11dd-bf82-a36255d89593} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{933ed98e-57e9-11dd-bf82-a36255d89593} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{9fe6e4aa-800c-46a6-943d-dd83d90c25f0} (Adware.Hotbar) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{5a4c66fb-4b04-478c-b855-fca385797db7} (Rogue.MalwareCrush) -> No action taken.

HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{141fdc3c-15fb-11dd-b723-9ef855d89593} (Spyware.OnlineGames) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4b18dd50-c996-44fc-ac52-0fecff82ed58} (Spyware.Hotbar) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speedrunner (Adware.SurfAccuracy) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{9552f3b2-4183-4473-a347-96f82af15f26} (Trojan.Agent) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{3670a914-63c2-4e67-8c9b-370ae1922143} (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3670a914-63c2-4e67-8c9b-370ae1922143} (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bchanger (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> No action taken.

HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webtools (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\QdrDrive (Adware.ISM) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> No action taken.

HKEY_CLASSES_ROOT\WR (Malware.Trace) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

HKEY_CLASSES_ROOT\cun.ta (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\cun.ta.1 (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\WebBuying (Adware.WebBuying) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sysrest.sys (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\speedrunner (Adware.SpeedRunner) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfkg6wip (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphccbpj0e95t (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> No action taken.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

C:\Program Files\MalwareCrush (Rogue.MalwareCrush) -> No action taken.

C:\Program Files\InetGet2 (Trojan.Downloader) -> No action taken.

C:\Program Files\MalwareAlarm (Rogue.Malware.Alarm) -> No action taken.

C:\Program Files\Hotbar (Adware.Hotbar) -> No action taken.

C:\WINDOWS\system32\iDlo01 (Trojan.Downloader) -> No action taken.

C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> No action taken.

C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> No action taken.

C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> No action taken.

C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> No action taken.

C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> No action taken.

C:\Program Files\FunWebProducts\PopSwatr (Adware.MyWebSearch) -> No action taken.

C:\Program Files\FunWebProducts\PopSwatr\History (Adware.MyWebSearch) -> No action taken.

C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> No action taken.

C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> No action taken.

C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> No action taken.

C:\Program Files\Starware349 (Adware.Starware) -> No action taken.

C:\Program Files\Starware349\bin (Adware.Starware) -> No action taken.

C:\Program Files\Starware349\icons (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349 (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\contexts (Adware.Starware) -> No action taken.

C:\Program Files\Temporary (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\nGpxx01 (Trojan.Downloader) -> No action taken.

C:\Program Files\QdrDrive (Adware.AdBand) -> No action taken.

C:\Program Files\NoDNS (Trojan.Agent) -> No action taken.

C:\Program Files\nvcoi (Trojan.Stars) -> No action taken.

C:\Program Files\Webtools (Trojan.Agent) -> No action taken.

C:\Program Files\VnrBlock (Trojan.Agent) -> No action taken.

C:\Program Files\BChanger (Trojan.Agent) -> No action taken.

C:\Program Files\Sakora (Trojan.Agent) -> No action taken.

C:\Program Files\GetPack (Trojan.Agent) -> No action taken.

C:\Program Files\iCheck (Trojan.Agent) -> No action taken.

C:\Program Files\Mjcore (Trojan.BHO) -> No action taken.

C:\Documents and Settings\USER2\Application Data\WinTouch (Adware.WinPop) -> No action taken.

C:\Documents and Settings\USER2\Application Data\speedrunner (Adware.SurfAccuracy) -> No action taken.

C:\Documents and Settings\USER3\Application Data\speedrunner (Adware.SurfAccuracy) -> No action taken.

C:\Documents and Settings\USER\Application Data\speedrunner (Adware.SurfAccuracy) -> No action taken.

Files Infected:

C:\WINDOWS\system32\khfdbxv.dll (Trojan.Vundo.H) -> No action taken.

C:\Program Files\Windows NT\hokenobal4444.dll (Trojan.Downloader) -> No action taken.

C:\Program Files\Windows NT\hokenobal83122.dll (Trojan.Downloader) -> No action taken.

C:\Program Files\Webtools\webtools.dll (Trojan.BHO) -> No action taken.

C:\Program Files\Common Files\lavuh.dll (Trojan.BHO) -> No action taken.

C:\Program Files\QdrDrive\QdrDrive20.dll (Trojan.Downloader) -> No action taken.

C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> No action taken.

C:\Documents and Settings\USER\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SpeedRunner) -> No action taken.

C:\Documents and Settings\USER\Application Data\Microsoft\Windows\svlpjgg.exe (Trojan.Vundo) -> No action taken.

C:\WINDOWS\faceback.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\cunta.dll (Trojan.BHO) -> No action taken.

C:\Program Files\MalwareCrush\MalwareCrush.exe (Rogue.MalwareCrush) -> No action taken.

C:\Documents and Settings\USER\Application Data\SpeedRunner\SRUninstall.exe (Adware.SurfAccuracy) -> No action taken.

C:\Documents and Settings\USER\Local Settings\Temp\SystemDoctor2006FreeInstall.exe (Rogue.Installer) -> No action taken.

C:\Documents and Settings\USER\Local Settings\Temp\GLK53.tmp (Rogue.EvidenceEliminator) -> No action taken.

C:\Documents and Settings\USER\Local Settings\Temp\xrun.exe (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER3\Application Data\Microsoft\Windows\vyoujc.exe (Trojan.Vundo) -> No action taken.

C:\Documents and Settings\USER3\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SpeedRunner) -> No action taken.

C:\Documents and Settings\USER3\Application Data\SpeedRunner\SRUninstall.exe (Adware.SurfAccuracy) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\!update.exe (Adware.PurityScan) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\sdexe.exe (Adware.PurityScan) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\NDR580.tmp (Adware.PurityScan) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\yazzsnet.exe (Adware.PurityScan) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\gettpa420.exe (Adware.Agent) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\gettpa421.exe (Adware.ClickSpring) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\snapsnet.exe (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\RarSFX0\webhdll.dll (Adware.Webhancer) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\RarSFX0\whAgent.exe (Adware.Webhancer) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\RarSFX0\whiehlpr.dll (Adware.Webhancer) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\RarSFX0\whInstaller.exe (Adware.Webhancer) -> No action taken.

C:\Documents and Settings\USER2\Application Data\Microsoft\Windows\simcklju.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\USER2\Application Data\Microsoft\Windows\tsbpk.exe (Trojan.Vundo) -> No action taken.

C:\Documents and Settings\USER2\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SpeedRunner) -> No action taken.

C:\Documents and Settings\USER2\Application Data\SpeedRunner\SRUninstall.exe (Adware.SurfAccuracy) -> No action taken.

C:\Documents and Settings\USER2\Application Data\WinTouch\WinTouch.exe (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER2\Application Data\WinTouch\WTUninstaller.exe (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER2\Local Settings\Temporary Internet Files\Content.IE5\J1XK5WM2\sruninstaller.prod.v12000.11jan2008.exe[1].1ac39aea6b22cdb4e6ed0c75f1d83467 (Adware.SurfAccuracy) -> No action taken.

C:\Program Files\Common Files\Yazzle1560OinAdmin.exe (Adware.ClickSpring) -> No action taken.

C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe (Adware.ClickSpring) -> No action taken.

C:\Program Files\NoDNS\NoDNS.exe (Trojan.Agent) -> No action taken.

C:\Program Files\nvcoi\nvcoi.exe (Trojan.Agent) -> No action taken.

C:\Program Files\QdrDrive\qdrloader.exe (Trojan.Downloader) -> No action taken.

C:\Program Files\Sakora\Sakora.exe (Trojan.Agent) -> No action taken.

C:\Program Files\Temporary\InsiDERInst.exe (Trojan.Downloader) -> No action taken.

C:\Program Files\VnrBlock\VnrBlock20.exe (Trojan.Downloader) -> No action taken.

C:\Program Files\GetPack\GetPack20.exe (Trojan.Agent) -> No action taken.

C:\Program Files\GetPack\GetPack21.exe (Adware.SpeedMonitor) -> No action taken.

C:\Program Files\iCheck\iCheck.exe (Adware.ISM) -> No action taken.

C:\Program Files\Windows Media Player\kemyq777444.dll (Adware.TTC) -> No action taken.

C:\WINDOWS\POTA777444.exe (Adware.TTC) -> No action taken.

C:\WINDOWS\tk58.exe (Trojan.BHO) -> No action taken.

C:\WINDOWS\TTC-4444.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\b154.exe (Trojan.Matcash) -> No action taken.

C:\WINDOWS\mrofinu572.exe.tmp (Trojan.Downloader) -> No action taken.

C:\WINDOWS\mrofinu_upx.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\b103.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\b104.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\b116.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\b138.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\b153.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\b157.exe (Trojan.Dropper) -> No action taken.

C:\WINDOWS\system32\F.tmp (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\11.tmp (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\12.tmp (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\13.tmp (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\14.tmp (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\1D.tmp (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\2C.tmp (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\ssqnmkk.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\D.tmp (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\blphccbpj0e95t.scr (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\ets1\ovstadcom2.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\nip4\hoftidndll3.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\wnis6\enamd83122.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\iDlo01\iDlo011065.exe (Trojan.Downloader) -> No action taken.

C:\Program Files\MalwareAlarm\MalwareAlarm.lic (Rogue.Malware.Alarm) -> No action taken.

C:\Program Files\MalwareAlarm\Uninstall.exe (Rogue.Malware.Alarm) -> No action taken.

C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> No action taken.

C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> No action taken.

C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> No action taken.

C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> No action taken.

C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> No action taken.

C:\Program Files\FunWebProducts\PopSwatr\History\allowed (Adware.MyWebSearch) -> No action taken.

C:\Program Files\FunWebProducts\PopSwatr\History\notallow (Adware.MyWebSearch) -> No action taken.

C:\Program Files\FunWebProducts\ScreenSaver\Images\0039B754.urr (Adware.MyWebSearch) -> No action taken.

C:\Program Files\FunWebProducts\Shared\003C5DCB.dat (Adware.MyWebSearch) -> No action taken.

C:\Program Files\Starware349\brand.bmp (Adware.Starware) -> No action taken.

C:\Program Files\Starware349\Setup.exe (Adware.Starware) -> No action taken.

C:\Program Files\Starware349\Starware349Config.xml (Adware.Starware) -> No action taken.

C:\Program Files\Starware349\icons\star_16.ico (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaykeyword.bmp (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaykeyword.png (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaysearch.bmp (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaysearch.png (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\FindIt.bmp (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\FindItHot.bmp (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\findithotxp.png (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\finditxp.png (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Highlight.bmp (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\HighlightHot.bmp (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\highlighthotxp.png (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\highlightxp.png (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\horoscopes.bmp (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\logo.bmp (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\logoxp.bmp (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Reference.bmp (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ReferenceHot.bmp (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\referencehotxp.png (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\referencexp.png (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Weather.bmp (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\weatherhotxp.png (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\buttons\weatherxp.png (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\contexts\error.xml (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\contexts\related.xml (Adware.Starware) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Starware349\contexts\travel.xml (Adware.Starware) -> No action taken.

C:\Program Files\NoDNS\UnInstall.exe (Trojan.Agent) -> No action taken.

C:\Program Files\nvcoi\mst.stt (Trojan.Stars) -> No action taken.

C:\Program Files\VnrBlock\VnrBlock21.exe (Trojan.Agent) -> No action taken.

C:\Program Files\VnrBlock\xenvertupd.exe (Trojan.Agent) -> No action taken.

C:\Program Files\VnrBlock\xtarga.gz (Trojan.Agent) -> No action taken.

C:\Program Files\BChanger\bchanger.dll (Trojan.Agent) -> No action taken.

C:\Program Files\BChanger\data.dat (Trojan.Agent) -> No action taken.

C:\Program Files\BChanger\Uninstall.exe (Trojan.Agent) -> No action taken.

C:\Program Files\GetPack\dictame.gz (Trojan.Agent) -> No action taken.

C:\Program Files\GetPack\trgtame.gz (Trojan.Agent) -> No action taken.

C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\USER2\Application Data\WinTouch\wintouch.cfg (Adware.WinPop) -> No action taken.

C:\Documents and Settings\USER2\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> No action taken.

C:\Documents and Settings\USER3\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> No action taken.

C:\Documents and Settings\USER\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> No action taken.

C:\WINDOWS\system32\pac.txt (Malware.Trace) -> No action taken.

C:\WINDOWS\system32\deb3\tewdrives22.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\qomkjif.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\awtutuv.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\lphccbpj0e95t.exe (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\phccbpj0e95t.bmp (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\b160.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\b161.exe (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> No action taken.

C:\Documents and Settings\USER3\Desktop\Internet Security Suite.url (Rogue.Link) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temporary Internet Files\fpinst.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\USER2\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER2\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER2\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\USER2\Local Settings\Temp\.tt10.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER2\Local Settings\Temp\.tt11.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt10.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt11.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt12.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt13.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt14.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt15.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt16.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt17.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt18.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt19.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt1A.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt1C.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt1E.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt21.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt24.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt29.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt2A.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt2B.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt2C.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt2E.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt35.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt36.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt37.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt39.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt80.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER2\Local Settings\Temp\.ttD.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER2\Local Settings\Temp\.ttE.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER2\Local Settings\Temp\.ttF.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.tt9.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.ttA.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.ttB.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.ttC.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.ttD.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.ttE.tmp.vbs (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER3\Local Settings\Temp\.ttF.tmp.vbs (Trojan.FakeAlert) -> No action taken.

In spite of the no action taken report, I did have it clean out everything it found. Next up was Grisoft’s AVG version 8. Since this is a home system I installed the free edition on there and let it run a scan. At this point I was thinking that things were probably taking a turn for the better, but when I saw the system again it appeared to be in a reboot cycle. I assumed it must have finished the antivirus scan and perhaps needed to restart from an update. Then I saw a windows blue screen and another reboot. ANOTHER windows blue screen and reboot.

I started suspecting that the malware cleaners had crippled the windows install…. here were some of the messages:

A problem has been detected and windows has been shutdown to prevent damage to your computer IRQ_NOT_LESS_OR_EQUAL pxhelp20.sys
another referred to dlartl_n.sys

Strangely another message said the same, but in the faulting module area it said sysinternals_great_site stop 0x00000100 tcpip.sys restarting, then Bad_Pool_Header
stop 0x00000019
dag.sys address bf0007bb
then Page_Fault_in_nonpaged_area, audstub.sys f9939t53e and f9939000 were addresses, kbdclass.sys was mentioned in another with address of f9c4e9f9 and base of f964e000 datestamp of 36b01bd3.

Another was imapi.sys with address of f94c84d2 and base of f94c6000 and datestamp of 36b035ds another claimed KMODE_Exception_not_handled and referred to kbdclass.sys with stop 0x000001e antoher referred to rasl2tp.sys stop 9×99999959 other stops were 0x00000000 0xf9517bb6 and yet another module mentioned was usbd.sys and Panic_Stack_Switch.

At this point I wasn’t sure what was going on, but thought I’d try to catch it and boot into safe mode. Only…. when I touched a key we went to the welcome screen of XP. ALL of that above was a screensaver. Who knows how many randomized blue screens they’ve put into it, but it looked pretty authentic mimicking the boot process and the autoreboot on windows crash. Pretty devious. (The systinternals_great_site gave a big hint that not all was as it seemed.)

So…. at this point I haven’t yet seen the AVG results (it was still scanning), but from malware bytes antimalware we’ve identified and cleaned out vundo.h webtools bho qdrdrive qdrdrive20.dll lavenh.dll micore.dll speedrunner faceback.exe myjavacore bho mywebsearch hotbar cunta.dll rogue malwarecrush.exe zango surfaccuracy onlinegame purityscan and evidence eliminator and in spite of this we’re still seeing strange behavior.

The first AVG scan uncovered several Adware Generic3.JVP bugs, Adware Generic3.LPS, Adware Generic.RLK and Adware Generic3.LLF in a folder called bs bs17.exe was one of the bugs, dl.exe and euladlg.dll were others.

The viruses found included Malwarecrush.exe (in 1838140.exe) a getfile.php coec.exe, b116.exe b157.exe b103.exe b116.exe b104.exe – it identified what it found as follows: Trojan horse downloader.fraudload.n trojan horse clicker.poc js/downloader.agent trojan horse agent.jkr trojan horse downloader.generic3.szp trojan horse downloader.agent.acrg trojan horse generic6.qzr trojan horse generic_c.iky trojan horse agent.jkr trojan horse generic_c.iky trojan horse spysheriff.e trojan horse sheur.arxw

and they were all removed. I also cleaned out the system restore folder by disabling system restore at this point. Now I went for spybot search and destroy as (as I thought at the time) my final pass.

Spybot found (and cleaned out) the following (many of which were just cookies): adrevolver, bfast, bluestreak, burstmedia, casalemedia, directtrack, doubleclick, fastclick, goclick, hitbox, hitslink, ksl, linksynergy, matchcraft, mediaplex, microsoft.windows.activedesktop, myway.mywebsearch, right media, searchingbooth.com, statcounter, systemdoctor2006, tradedoubler, webbuyingassistant, webrends live, wildtangent, win32.agent.es wintouch and zedo.

After this I ran another AVG scan which came up clean. I declared victory and shut it down. But the next morning I thought I better boot up and take another look JUST in case. I booted up and ran the web browser. On closing there was a small window that popped up and disappeared. I ran AVG again and it found traces of spysheriff again which it cleaned out.

So, I decided to start trying the online scanners. Trendmicro was the first. It found traces of memsweeper2 which it cleaned up. The second housecall scan came up clean. I ran another AVG scan and all seemed clean. I left it for the better part of a day. Malware Bytes came clean, spybot came clean.

The next day when I updated and ran AVG there was a SLEW of new baddies…

Virus downloader.fraudload rootkit-agent.af backdoor.agent.ugj downloader.agent.abwh (lot’s of .tmp files in c:\windows\system32 with this…) After this pass I returned to trendmicros housecall and it once again found memsweeper2 AGAIN. It cleaned it and the second run didn’t turn up anything. Around this time I found a few suspicious startup items that I cleared out (including an xx.exe that was labelled sysinternals (???))

One of the other online scans (f-secure) turned up a file named gool.exe that was tagged as malware which nothing else had apparently tagged. BTW this was also running at startup.

After this, I visited the Kaspersky scanner and found several items that had been dumped in the housecall quarantine. So I still wasn’t convinced I downloaded autoruns from sysinternals and superantispyware free edition (which I hadn’t used before.)

SuperAntiSpyware finally got things cleaned out. Here’s the list of things that IT found before I was convinced we had got everything:

It cleaned up a few stray registry entries from vundo, others from gool (found yet another resurrection of gool in system restore which I flushed again.) and there were several other traces of things in temporary internet files.

At this point the last symptoms seemed to have gone away. There weren’t any other windows popping up for a split second with internet explorer, no other suspicious processes cropping up in task manager. I could actually shut down without an error message and the system seems all clear. I’ve now checked the system a couple more times with the above tools and all seems clean. I went back one last time to audit things with sysinternals autoruns and used some of the missing items listed there to compile the list at the start of this article.

Along the way I installed ultravnc on the system to assist in cleaning it up (*which superantispyware made note of and offered to remove – it tagged it as winVNC.)

So there’s the story of the latest greatest infested system on the bench. This one has probably taken the longest to get back into working shape just because of it’s lack of memory. (Scans were taking several hours at a time.) As it is it definitely would have been simpler to reinstall and update the system, but there wasn’t an install disk with the machine. I did update to Internet Explorer 7 and Windows XP SP3 along the way as well to bring it up to current on the windows update front.

   Send article as PDF   

Similar Posts