Spy-Agent.bc, Spy-Agent.i, AdClicker-BW, Background Changes

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Mmeyer, Jul 6, 2006.

  1. Mmeyer

    Mmeyer Private E-2

    Hi --
    Running windowx xp v.2002 3.2 GHz processor, 1.2 GB of RAM ...
    2 Major problems:
    1) McAfee continously pops up the following 3 messages:
    "The File C:\WINDOWS\system32\{--random Hex codes--}.e ... was infected by the Spy-Agent.bc trojan and has been deleted to complete the Clean process."
    "The File C:\WINDOWS\system32\{--random Hex codes--}.e ... was infected by the Spy-Agent.i trojan and has been deleted to complete the Clean process."
    "The File C:\WINDOWS\system32\{--random Hex codes--}.e ... was infected by the AdClicker-BW trojan and has been deleted to complete the Clean process."
    These messages continuously pop up.
    2) About 1 week after receiving these messages and with no access to the internet (via a browser, anyway) my background was deleted, replaced by a bright red screen with an advertisement for a spy-ware removal package (I believe it was RazeWare but ... continue reading .....)
    Upon running your initial steps for cleaning, the message and red background were deleted, but now the background oscilates between white and tan (no advertisment, however), and I still receive the McAfee notices from (1)

    It should be noted that I did not run the initial steps in safe mode, but, rather, from normal mode.

    I have attached the log files at your request.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a Wareout infection.

    Download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program
    Now look in Add/Remove programs for the below and uninstall if found:
    UnSpyPC
    KillAndClean

    Let me know whether you find them or not and if you could uninstall them.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe
    • Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
    • Click Next, then Install.
    • Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
    • The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
    • Your system may take longer than usual to load; this is normal.
    • When your system reboots, follow the prompts. Afterwards, HijackThis will launch. If it does not launch then run it yourself. Please click Scan, and check the following items if they still exist:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    R3 - URLSearchHook: (no name) - {B6175BD9-87A3-6922-870F-F63666C5D409} - StatusCheck.dll (file missing)
    O1 - Hosts: localhost 127.0.0.1
    O4 - HKLM\..\Run: [WTFCTF] _ctcp.exe
    O4 - HKLM\..\Run: [WhatsNewBot] sound64.exe
    O4 - HKLM\..\Run: [uqvkf.exe] C:\WINDOWS\system32\uqvkf.exe
    O4 - HKLM\..\Run: [dmqud.exe] C:\WINDOWS\system32\dmqud.exe
    O4 - HKCU\..\Run: [MONITER] Shaitan1678.exe
    O4 - HKCU\..\Run: [scanSYS] 321102.exe
    O4 - HKCU\..\Run: [TRPT] syspanel.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{202D8EA6-70A2-4623-B6D8-2151B4EAF967}: NameServer = 85.255.114.45,85.255.112.195
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: NameServer = 85.255.114.45,85.255.112.195
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6952F1E5-F828-4D7A-AD2B-F6D6CB0ABCAF}: NameServer = 85.255.114.45,85.255.112.195
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DCB57C6B-E7F2-48BF-A819-82792B9C376B}: NameServer = 85.255.114.45,85.255.112.195
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.45 85.255.112.195
    O17 - HKLM\System\CS1\Services\Tcpip\..\{202D8EA6-70A2-4623-B6D8-2151B4EAF967}: NameServer = 85.255.114.45,85.255.112.195
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.45 85.255.112.195


    After clicking Fix Checked, close HijackThis, and click OK to proceed.

    At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
    C:\Program Files\KillAndClean <--- the whole folder
    C:\Program Files\UnSpyPC <--- delete the whole folder if found
    c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
    C:\WINDOWS\system32\{CE51048A-F7A0-4A07-B326-12DAA0E74B68}.exe
    C:\WINDOWS\system32\_ctcp.exe
    C:\WINDOWS\system32\sound64.exe
    C:\WINDOWS\system32\uqvkf.exe
    C:\WINDOWS\system32\dmqud.exe
    C:\WINDOWS\system32\Shaitan1678.exe
    C:\WINDOWS\system32\321102.exe
    C:\WINDOWS\system32\syspanel.exe


    Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

    There could be additional cleanup to do from Wareout and it the log will let us know.

    Also attach a new HijackThis log.
     
  3. Mmeyer

    Mmeyer Private E-2

    Hi. Sorry. Was out of town. I did all that you said. Still have the problem, although now one of the spy agents in the message has been replaced by the trojan QFav-4.

    Also, per your request, found KillAndClean and deleted it successfully but did not find UnSpyPC.

    Logs attached:
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Locate the below files and delete them (use safe mode if necessary):

    C:\WINDOWS\System32\CSVEM.EXE
    C:\WINDOWS\SYSTEM32\DMVMU.EXE
    C:\WINDOWS\system32\{54936069-0CDB-4D8D-A818-52C64DC1CFC4}.exe
    C:\WINDOWS\system32\{A4F6CFB3-F09B-4C1F-B119-1A66E0077FD6}.exe


    Let me know the results!

    It looks to me like the procedure was not run at all (I know that is not the case because you have the log). But everything is still in your HJT log.

    Uninstall Windows Defender!
    Uninstall Spyware Doctor!
    And disable McAfee (or uninstall it)

    Then rerun the whole procedure and attach the fixwareout log and a new HJT log.
     
  5. Mmeyer

    Mmeyer Private E-2

    Thanks, I'll do this this afternoon. I actually had to run the process twice as I, too, noticed that a number of my deletions were still in the log. I thought the second run had taken care of everything. I'll take care of it in safe-mode.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay just let me know the results and attach the logs.
     
  7. Mmeyer

    Mmeyer Private E-2

    Okay -- still having problems with the background, but since I disabled virus-scan, etc. in McAfee not seeing the pop-ups (presumably because it's disabled). Here are the new logs:
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    FixwareOut found a lot more problems!


    Look for each of the below files in C:\WINDOWS\system32 and delete them if found!
    {D48064BA-F8C5-450B-A67F-2AB98A18F41E}.dll
    {E3799B66-B38C-40D5-B4AB-F66711956BD0}.exe
    {A9DADBA0-3908-430E-ADCA-D47FEE3BC3F7}.exe
    {E02B1C12-3EC4-4D72-AB18-DF2F539826FB}.exe
    {42C3BD3B-7375-4796-83C8-F11EA1868F05}.exe
    {0C2799A6-13A0-4DE5-BC61-3A31C4ED4BE1}.exe
    CSGSF.EXE
    DMAON.EXE

    Tell me what you find and do not find and if you could delete them or not.

    Afterwards fun Fixwareout again and attach another log.

    Now run the below procedure and attach the newfiles.txt log.
     
  9. Mmeyer

    Mmeyer Private E-2

    Okay found the following:
    {D48064BA-F8C5-450B-A67F-2AB98A18F41E}.dll -- deleted in SafeMode
    {0C2799A6-13A0-4DE5-BC61-3A31C4ED4BE1}.exe -- deleted in Normal mode
    CSGSF.EXE -- Deleted in SafeMode
    DMAON.EXE -- Delete in SafeMode
    I did not find any of the other files in that directory, either in SafeMode or normal mode.

    Attaching the requested logs:
     

    Attached Files:

  10. Mmeyer

    Mmeyer Private E-2

    Also attaching HJT log, as well (run in normal mode):
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now delete all files in the below folder (Windows will have a few from the current date in use which you cannot delete. Just work around them).

    C:\Documents and Settings\Mike\Local Settings\TEMP

    Then attach a new HJT log and also tell me how things are working.
     
  12. Mmeyer

    Mmeyer Private E-2

    Okay -- been on the computer for about 10 minutes and have not received any virus warning pop-ups
    ... BUT ...
    my background is still the offwhite color.. I have noticed that if i move my toolbar from the bottom of the screen I can see my old background in place of where the toolbar used to be, though

    >>> Attached HJT log
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds