nasty malware that AAW, SB, and MSAS cant fix

[rudeguy]

No idea how this thing got on my computer and my antivirus only catches it at random. All I know is that it contains _qlogic.a . Anyone have any info or any idea how to get rid of the lil ah heck? I already did the old msconfig and killed everything, shut down any processes that didn't belong, and ran about 40 system scans. Any help is appreciated.

 

[John]

Disable system restore (ME, XP) and reboot to safe mode with networking.

Panda Activescan

Trend Micro Housecall

SpySweeper 3.5 (be sure to update definitions)

 

[mechBgon]

If you can find a copy of the file, also email me one at tmcfadden (a) omnicast (dot) net. If you are able to ID it using Panda and Trend Micro, would you let us know what it comes up as?

 

[rudeguy]

results from pandascan:

Incident Status Location

Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Josh\Local Settings\Temp\f5r4Bnh.exe
Virus:Trj/Multidropper.XI Disinfected C:\Documents and Settings\Josh\Local Settings\Temp\qoolaid.exe
Virus:W32/Spybot.QV.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0906B5BD-ADC6-4B63-B8F2-348657.asq
Virus:W32/Spybot.QV.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D21D1E94-70DE-4060-9E06-2BCA9C.asq
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\174B54BE-C6C2-4708-B41B-11117A\4554CAC2-FEB1-4387-BC80-C
F286
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\174B54BE-C6C2-4708-B41B-11117A\4554CAC2-FEB1-4387-BC80-C
F286AntiSpyware\Quarantine\174B54BE-C6C2-4708-B41B-11117A\5AAB46C9-3FA3-4912-A2E9-0
E45E
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\174B54BE-C6C2-4708-B41B-11117A\4554CAC2-FEB1-4387-BC80-C
F286AntiSpyware\Quarantine\174B54BE-C6C2-4708-B41B-11117A\5AAB46C9-3FA3-4912-A2E9-0
E45EAntiSpyware\Quarantine\174B54BE-C6C2-4708-B41B-11117A\B9CBA341-0E0B-40F6-AA55-8
EB13
Adware:Adware/SideFind No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\174B54BE-C6C2-4708-B41B-11117A\4554CAC2-FEB1-4387-BC80-C
F286AntiSpyware\Quarantine\174B54BE-C6C2-4708-B41B-11117A\5AAB46C9-3FA3-4912-A2E9-0
E45EAntiSpyware\Quarantine\174B54BE-C6C2-4708-B41B-11117A\B9CBA341-0E0B-40F6-AA55-8
EB13AntiSpyware\Quarantine\852B5194-6EAC-4B9E-A629-9CEB49\C439B9F9-324D-47E8-86B9-0
8839
Virus:Trj/Pakes.V Disinfected C:\WINDOWS\d92.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\mgrsts.exe
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\pss\rtan.exeCommon Startup
Adware:Adware/QoolShown No disinfected C:\WINDOWS\system32\sgytsgp.dll
Adware:Adware/QoolShown No disinfected C:\WINDOWS\system32\sgytsgp.dll.tmp
Virus:Trj/Clicker.CY Disinfected C:\WINDOWS\system32\winup2date.dll
Virus:Trj/Clicker.CX Disinfected C:\WINDOWS\system32\wmconfig.cpl
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\wvupw.dat
Virus:Trj/Clicker.CZ Disinfected C:\WINDOWS\unadbeh.exe


that didnt seem to work but spy sweeper did. Here is that log:

07:06 AM: Your spyware definitions have been updated.
07:07 AM: Sweep initiated using definitions version 475
07:07 AM: Sweeping memory for threats.
07:07 AM: Found: Memory-resident threat Clkoptimizer, version 1
07:07 AM: Memory sweep has completed. Elapsed time 00:00:06
07:07 AM: Registry sweep initiated.
07:07 AM: Found: 17 Clkoptimizer registry traces.
07:07 AM: Found: 20 IstBar registry traces.
07:07 AM: Found: 1 Bho_SideFind registry traces.
07:07 AM: Registry sweep completed. Elapsed time 00:00:19
07:07 AM: Full sweep on all local drives initiated.
07:07 AM: Now sweeping drive C:
07:07 AM: Found Cookie: 888 Cookie, version 1, c:\documents and settings\josh\cookies\josh@888[2].txt
07:07 AM: Found Cookie: Valuead Cookie, version 1, c:\documents and settings\josh\cookies\josh@valuead[2].txt
07:07 AM: Found Cookie: EadExchange Cookie, version 1, c:\documents and settings\josh\cookies\josh@www.eadexchange[2].txt
07:07 AM: Found Cookie: Adserver Cookie, version 1, c:\documents and settings\josh\cookies\josh@z1.adserver[1].txt
07:07 AM: Found Cookie: Cassava Cookie, version 1, c:\documents and settings\josh\cookies\josh@cassava[1].txt
07:07 AM: Found Cookie: GoldenPalace Cookie, version 1, c:\documents and settings\josh\cookies\josh@banner.goldenpalace[2].txt
07:07 AM: Found Cookie: ExitExchange Cookie, version 1, c:\documents and settings\josh\cookies\josh@exitexchange[2].txt
07:07 AM: Found Cookie: Advertising Cookie, version 1, c:\documents and settings\josh\cookies\josh@advertising[2].txt
07:07 AM: Found Cookie: AdDynamix Cookie, version 1, c:\documents and settings\josh\cookies\josh@ads.addynamix[1].txt
07:07 AM: Found Cookie: Adultfriendfinder Cookie, version 1, c:\documents and settings\josh\cookies\josh@adultfriendfinder[2].txt
07:07 AM: Found Cookie: Atlas DMT Cookie, version 1, c:\documents and settings\josh\cookies\josh@atdmt[2].txt
07:07 AM: Found Cookie: Apmebf Cookie, version 1, c:\documents and settings\josh\cookies\josh@apmebf[2].txt
07:07 AM: Found Cookie: StatsTracking Cookie, version 1, c:\documents and settings\josh\cookies\josh@stats-tracking[2].txt
07:07 AM: Found Cookie: Servedby Advertising Cookie, version 1, c:\documents and settings\josh\cookies\josh@servedby.advertising[1].txt
07:07 AM: Found Cookie: Tickle Cookie, version 1, c:\documents and settings\josh\cookies\josh@tickle[1].txt
07:07 AM: Found Cookie: Trafficmp Cookie, version 1, c:\documents and settings\josh\cookies\josh@trafficmp[1].txt
07:07 AM: Found Cookie: TouchClarity Cookie, version 1, c:\documents and settings\josh\cookies\josh@partypoker.touchclarity[2].txt
07:07 AM: Found Cookie: Mediaplex Cookie, version 1, c:\documents and settings\josh\cookies\josh@mediaplex[1].txt
07:07 AM: Found Cookie: metareward.com Cookie, version 1, c:\documents and settings\josh\cookies\josh@metareward[1].txt
07:07 AM: Found Cookie: Qksrv Cookie, version 1, c:\documents and settings\josh\cookies\josh@qksrv[2].txt
07:07 AM: Found Cookie: RedNova Cookie, version 1, c:\documents and settings\josh\cookies\josh@rednova[1].txt
07:07 AM: Found Cookie: Partypoker Cookie, version 1, c:\documents and settings\josh\cookies\josh@partypoker[2].txt
07:07 AM: Found Cookie: Overture Cookie, version 1, c:\documents and settings\josh\cookies\josh@perf.overture[1].txt
07:07 AM: Found Cookie: 2o7.net Cookie, version 1, c:\documents and settings\josh\cookies\josh@2o7[2].txt
07:07 AM: Found Cookie: 888 Cookie, version 1, c:\documents and settings\josh\cookies\josh@888[1].txt
07:07 AM: Found Cookie: PreciseAd Cookie, version 1, c:\documents and settings\josh\cookies\josh@adopt.precisead[2].txt
07:07 AM: Found Cookie: Adorigin Cookie, version 1, c:\documents and settings\josh\cookies\josh@adorigin[1].txt
07:07 AM: Found Cookie: Azjmp Cookie, version 1, c:\documents and settings\josh\cookies\josh@azjmp[2].txt
07:07 AM: Found Adware: MoneyTree, version 1, c:\program files\microsoft antispyware\quarantine\174b54be-c6c2-4708-b41b-11117a\5aab46c9-3fa3-4912-a2e9-08e45e
07:07 AM: Found Cookie: UrlLogic Cookie, version 1, c:\documents and settings\josh\cookies\josh@s.urllogic[2].txt
07:08 AM: Found Adware: InternetOptimizer, version 1, c:\program files\microsoft antispyware\quarantine\174b54be-c6c2-4708-b41b-11117a\4554cac2-feb1-4387-bc80-c1f286
07:08 AM: Found Adware: InternetOptimizer, version 1, c:\program files\microsoft antispyware\quarantine\174b54be-c6c2-4708-b41b-11117a\b9cba341-0e0b-40f6-aa55-8eeb13
07:08 AM: Found Adware: Bho_SideFind, version 1, c:\program files\microsoft antispyware\quarantine\852b5194-6eac-4b9e-a629-9ceb49\c439b9f9-324d-47e8-86b9-098839
07:09 AM: Found Adware: IstBar, version 1, c:\documents and settings\josh\local settings\temp\f5r4bnh.exe
07:09 AM: Found Adware: Clkoptimizer, version 1, c:\windows\pss\rtan.execommon startup
07:09 AM: Found Adware: Clkoptimizer, version 1, c:\windows\system32\sgytsgp.dll.tmp
07:09 AM: Found Adware: Clkoptimizer, version 1, c:\windows\system32\winup2date.dll
07:09 AM: Found Adware: Clkoptimizer, version 1, c:\windows\system32\doabdoc.exe
07:09 AM: Found Adware: Clkoptimizer, version 1, c:\windows\system32\darad.dll
07:09 AM: Found Adware: Clkoptimizer, version 1, c:\windows\system32\sgytsgp.dll
07:09 AM: Found Adware: Clkoptimizer, version 1, c:\windows\system32\wvupw.dat
07:09 AM: Found: 41 file traces.
07:09 AM: Full Sweep has completed. Elapsed time 00:02:56
21,559 files swept
80 item traces located

looks like everything is all good now. Apparently whatever I had simply opened the door for other crap to download and install without me knowing it.

Thanks guys.

 

[SagaLore]

Originally posted by: mechBgon
If you can find a copy of the file, also email me one at tmcfadden (a) omnicast (dot) net. If you are able to ID it using Panda and Trend Micro, would you let us know what it comes up as?

If you find anything out about it, and it turns out to be a new kind of spyware, fill me in on the details and I will post it on -.

The results from the Panda scan aren't in your favor. I would run Trend to make sure Panda didn't miss anything, then download/install/update Spybot Search & Destroy since it will pick up stuff that antiviruses miss.

 

[mechBgon]

Kaspersky has their new beta webscanner up too: link to it.

 

[biostud]

Both my lappy an regular got vira during this week even though they had AVG running, so now I've switched to AntiVir.
(I got suspecious when browsing felt slow and I found a strange app using all the CPU cycles) Used Panda online scan to remove it, as AVG wouldn't start virusscanner.