Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade

[evilfantasy]

We will clean up the tools we have used when we are done.

Go ahead with the kaspersky scan. It won't remove anything but the log will be very helpful.

[lectrocrew]

Sorry for the delay. That scan took about an hour. Results below:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Monday, April 21, 2008 4:18:40 PM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 21/04/2008
 Kaspersky Anti-Virus database records: 719150
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   C:\
   D:\
   E:\
   F:\
   L:\

Scan Statistics:
   Total number of scanned objects: 97346
   Number of viruses found: 1
   Number of infected objects: 3
   Number of suspicious objects: 0
   Duration of the scan process: 00:56:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg8\Antispam\scoffset.bin.incr   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\AvgAm\avgam.lck   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\emc\Log\emc.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgam.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgcore.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgcore.log.1   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgfw8u.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgns.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgrs.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\avgsched.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\commonpriv.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Avg8\Log\commonpub.log   Object is locked   skipped
C:\Documents and Settings\LocalService\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\gdql_lsa_LinksysAgent.log   Object is locked   skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\glog.log   Object is locked   skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent.log   Object is locked   skipped
C:\Documents and Settings\Owner\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_GTActions.log   Object is locked   skipped
C:\Documents and Settings\Owner\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip   ZIP: infected - 1   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\bl.db   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\is2.db   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008042120080422\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Owner\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\BWDocMap.pht   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\BWInfopakMap.pht   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chandir.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chandir.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chn.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\chn.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\D0000000.FCS   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\inuse.txt   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\L0000003.FCS   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\main.log   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_die.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_die.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_dnd.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_dnd.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_ext.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_ext.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_rcv.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\prs_rcv.idx   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\storydb.dat   Object is locked   skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Owner\Data\storydb.idx   Object is locked   skipped
C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
C:\System Volume Information\_restore{C900D7EF-0604-4853-84B0-ADDDB2906470}\RP3\change.log   Object is locked   skipped
C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\edb.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb   Object is locked   skipped
C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\default   Object is locked   skipped
C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\Internet.evt   Object is locked   skipped
C:\WINDOWS\system32\config\SAM   Object is locked   skipped
C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\software   Object is locked   skipped
C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\system   Object is locked   skipped
C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped
F:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
F:\System Volume Information\_restore{C900D7EF-0604-4853-84B0-ADDDB2906470}\RP3\change.log   Object is locked   skipped
L:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp   Object is locked   skipped
L:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
L:\System Volume Information\_restore{C900D7EF-0604-4853-84B0-ADDDB2906470}\RP3\change.log   Object is locked   skipped

Scan process completed.

[evilfantasy]

The log is clean. I am pretty sure that it was a false positive being given by Noadware.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.

Let me know how things are now.

[lectrocrew]

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.

When I click on the 'CleanUp button I get an error box that says:
"OTMoveIt2
I/O error 1784"
I clicked the 'OK' in that box and tried clicking the CleanUp button again and got the same message.
What did I miss?

[evilfantasy]

Did the list load into the box under the yellow bar?

[lectrocrew]

no

[evilfantasy]

OK, open this attachment and copy then paste the entire list into the window under the yellow bar in OTMoveIt2. Then click the CleanUp button.

[recovering space - attachment deleted by admin]

[lectrocrew]

Done but I get the same error message

[lectrocrew]

Below is a copy - paste of whats in that box.

[nobackups]
[deleteself]
avenger.zip     <Avenger by Swandog46>
avenger.exe
Avenger
avenger.txt
bfu.zip         <BFU by Merijn>
BFU
combofix.exe    <ComboFix by sUBs>
Combo-Fix.sys
ComboFix
erdnt
QooBox
ComboFix*.txt
catchme         <delete service>
catchme.exe
fdsv.exe
grep.exe
moveex.exe
nircmd.exe
sed.exe
swreg.exe
Swsc.exe
Swxcacls.exe
VFind.exe
WS2Fix.exe
zip.exe
tmp.reg
dss.exe         <Deckard's System Scanner by Deckard>
Deckard
deljob.exe      <Author Unknown>
deljob
logit.txt
FindAWF.exe     <FindAWF by noahdfear>
AWF.txt
fixwareout.exe  <FixWareout by LonnyRJones>
fixwareout
fsbl.exe        <F-Secure BlackLight>
fsbl*.log
gmer.exe        <GMER by Gmer>
gmer.dll
gmer.ini
gmer.log
gmer_uninstall.cmd
gmer.sys
gmer            <delete service>
haxfix.exe      <Haxfix by Markie>
haxfix.txt
killbox.exe     <Killbox by Option^Explicit>
!Killbox
NoLop.exe       <NoLop by ?>
NoLop.txt
NoLopOLD.txt
delete.bat
OTMoveIt.exe    <OTMoveIt by OldTimer>
OTMoveIt2.exe
_OTMoveIt
OTScanIt.exe    <OTScanIt by OldTimer>
OTScanIt
rustbfix.exe    <Rustbfix by Ejvindh>
Rustbfix
sdfix.exe       <SDFix by Andy_Manchesta>
SDFix
Silent Runners.vbs  <by Andrew ARONOFF>
SmitfraudFix.exe <SmitfraudFix by S!Ri>
SmitfraudFix
rapport.txt
SysInsite       <System Insite by Bobbi Flekman>
VundoFix.exe    <VundoFix by Atribune>
VundoFix Backups
vundofix.txt
vundofix.vft
win32delfkil.exe <WinDelfKil by Markie>
_backupD
windelf.txt
winpfind.exe    <WinPfind by OldTimer>
WinPfind
WinPFind3u.exe  <WinPFind3 by OldTimer>
WinPFind3u
WinPFind35u.exe  <WinPFind35 by OldTimer>
WinPFind35u
cleanup.txt

[evilfantasy]

Strange.

These are the files we are trying to delete with OTMoveIt2. You may have to go in and manually delete them.

C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\tmp.reg
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.zip

[lectrocrew]

Ok. I've deleted 1 so far. Give me a few minutes.

[lectrocrew]

done, and only because I am trying to be cautious, do I now empty my 'Recycle Bin'?

[evilfantasy]

Yep, then do the rest of the instructions.

[lectrocrew]

Use the Secunia Software Inspector to check for out of date software.

Click Start Now

Check the box next to Enable thorough system inspection.

Click Start

Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

When I clicked the start button in Secunia Software Inspector, it showed a message saying I needed Sun Java from www.java.com for Secunia Software Inspector to run correctly. so I went to java.com and downloaded the latest java file and verified that I have the latest version, but it looks like Secunia still has a problem with a java applet issue. Below is the current status:


Detection Statistics:

0 Applications Detected in Total
0 Insecure Versions Detected
0 Secure Versions Detected

Running For:
0 minutes, 0 seconds

Errors Detected:
0 Errors Detected     
 Enable thorough system inspection.
Enable the Secunia Software Inspector to search for software installed in non-default locations.

Beta Test! 10 days left of beta period
Beta test the 2nd generation Secunia NSI, the network aware edition of the Software Inspector. Download NSISetup.exe 
Status / Currently Processing:

*There might be problems loading the Java Applet in your browser. 
-------------------
*I wrapped the last sentence in bold myself.
what now?
BTW, did I mention that I really appreciate your time doing this!!!

 
 

[evilfantasy]

You may need to restart the computer if you just downloaded the Java.