Let me start by saying I think what you guys do here is awesome. It is comforting to know there are good folks out there fighting these menaces.
Summary:
I think Malwarebytes' Anti-Malware (MBAM) has already done the heavy lifting, and McAfee quarantined the rest. Have not had any reoccurring symptoms since restarting after running MBAM. However I would greatly appreciate it if someone knowledgeable would have a look to let me know everything is spic & span (I'd like to feel comfortable using my computer for online banking, work, etc again).
Symptoms:
On my Dell Dimension 8200, Windows XP Home (sp3) machine, I was getting popups and randomly opening IE windows with sites such as:
I'm sure I saw the words "Antivirus 2009" as well.bestantivirusscanner.com, newser.com, adtechus.com, mevio.com, searchfeed.com
I think this all started appearing (Sat. 1-10-09) soon after visiting a less-than-reputable website (while searching with Yahoo, trying to remember the name for the Daemon Tools forum, I'm sure I was directed to some not so clean sites). I've been using IE for websurfing (I think I will be moving on to Firefox in the near future because of this experience).
I was also seeing warnings from Windows XP indicating that automatic updates was turned off, and I saw that McAfee SystemGuard was turned off as well, and I could not turn either one back on.
I ran Spybot - Search & Destroy, and it came up with the following problems:
.AdRevolver, DoubleClick, FastClick, HitsLink, MediaPlex, RightMedia, Smitfraud-C, Statcounter, Virtumonde, Win32.TDSS.rtk
Cleanup:
Once I had time (earlier this week), I finally got serious and followed the Malware cleaning guide on this site:
ATF cleaner ran fine. SysRestorePoint.exe gave the message "Restore Point Creation failed!" followed by "New Restore Point Successfully Created." I decided to move on, if things got to hairy I figured I would just reformat.
MBAM found (and removed) the following:
MBAM asked for a reboot, during which I saw Windows ran CHKDSK (not a normal occurrence for me, maybe normal for MBAM?). Upon restart, McAfee finally began to pull its weight and popped up with multiple "Trojan Quarantined" messages that mentioned "Generic!Artemis" mainly.Trojan.Vundo.H, Trojan.Vundo, Trojan.Agent, Malware.Trace, Rootkit.Agent
I re-ran MBAM's quick scan and it came up empty.
McAfee's SystemGuard stays "on" now, I think this allowed the quarantines to take place.
Windows Automatic Update is turned on and once again set to run every night.
I ran a McAfee update and full system scan that also came up clean.
I ran HJT and will post the log below.
Spybot S&D was just run again and came up mostly with some cookies:
Sec Center is probably disabled by McAfee. Most are cookies. But Win32.TDSS.rtk is catagorized as "TrojansC", which worries me. Three registry keys are listed:AdRevolver, BurstMedia, DoubleClick, MediaPlex, Microsoft.WindowsSecurityCenter_disabled, Right Media, WebTrends live, Win32.TDSS.rtk
Win32.TDSS.rtk: [SBI $881E41BA] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Win32.TDSS.rtk: [SBI $7B4E031F] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys
Win32.TDSS.rtk: [SBI $C8DA2EDC] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:19:22 PM, on 1/15/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Aventail\Connect\as32svc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\SiteAdvisor\McSACore.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe D:\Games\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\SearchIndexer.exe c:\program files\timbuktu pro\tb2launch.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\tbctray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup O4 - HKCU\..\Run: [AlcoholAutomount] "D:\Games\Alcohol Soft\Alcohol 52\axcmd.exe" /automount O4 - Startup: Registration .LNK = F:\Register\RegistrationReminder.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223019158201 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223098540062 O16 - DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} (DmDragDrop Class) - http://elnwebtop.es.dupont.com:8080/webtop/wdk/native/WdkPluginCab.CAB O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O20 - AppInit_DLLs: lcccai.dll O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Games\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 6205 bytes
Hopefully all that verbiage is understandable and I gave you what you need to know. Certainly let me know if you need more info.
Thanks in advance for any insight you can provide!