I've recently serviced an HP Pavilion 751n 1.8 GHz P4, 240 megabytes RAM, Windows XP and only a handful of pre-Service Pack 1 updates. It was "protected" only by McAfee VirusScan 8.0. Personal Firewall was not installed. In addition to a horrific malware infection, it also had been inadvertently abused with video driver installations that were not properly uninstalled.

It required nearly thirty minutes to nurse this machine into accepting the installation of Ad-Aware SE Personal from CD. After finally getting msconfig opened, I was able to disable enough to reboot and permit an install and update from CD.

For your information, education, & amusement , I present the following:



Nasty, isn't it!


Following is the list of detected malware on the first pass. Not shown is a compromised shell entry that Ad-Aware could not repair on its own.

Ad-Aware SE Build 1.05
Logfile Created on:Monday, October 18, 2004 3:52:44 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R13 16.10.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:8):46 total references
Adintelligence.AproposToolbar(TAC index:5):2 total references
AdLogix(TAC index:6):14 total references
Adsincontext(TAC index:6):1 total references
Alexa(TAC index:5):11 total references
AutoSearchBHO(TAC index:6):1 total references
BargainBuddy(TAC index:8):2 total references
begin2search(TAC index:10):61 total references
BonziBuddy(TAC inde ):2 total references
BrowserAid(TAC index:6):74 total references
Claria(TAC inde ):41 total references
ClearSearch(TAC inde ):46 total references
CommonName(TAC inde ):1 total references
CoolWebSearch(TAC index:10):30 total references
Coulomb Dialer(TAC index:5):2 total references
Dialer(TAC index:5):6 total references
DownloadPlus(TAC index:5):2 total references
DyFuCA(TAC index:3):64 total references
Ebates MoneyMaker(TAC index:4):17 total references
EGroup Dialer(TAC index:5):9 total references
eUniverse(TAC index:10):23 total references
EzuLa(TAC index:6):233 total references
Favoriteman(TAC index:8):6 total references
Gigatech Superbar(TAC index:5):29 total references
IBIS Toolbar(TAC index:5):4 total references
Superlogy.com(TAC index:5):4 total references
I-LookUp(TAC index:8):69 total references
istbar.dotcomToolbar(TAC index:5):2 total references
istbar(TAC index:6):22 total references
Lop(TAC inde ):3 total references
Lycos Sidesearch(TAC inde ):42 total references
MemoryWatcher(TAC index:4):14 total references
MetaDirect(TAC index:5):63 total references
midADdle(TAC index:4):19 total references
MRU List(TAC index:0):26 total references
MSCnt(TAC index:6):8 total references
MSView(TAC index:10):59 total references
MyDailyHoroscope(TAC index:5):38 total references
MyWay.Speedbar(TAC index:4):44 total references
NetPal(TAC inde ):7 total references
Other(TAC index:5):10 total references
PeopleOnPage(TAC inde ):35 total references
Possible Browser Hijack attempt(TAC index:3):26 total references
Powerscan(TAC index:5):7 total references
PromulGate(TAC index:5):7 total references
Rads01.Quadrogram(TAC index:6):2 total references
Roings(TAC index:5):5 total references
SafeSearch(TAC index:4):9 total references
StatBlaster(TAC index:8):20 total references
TopMoxie(TAC index:3):1 total references
Tracking Cookie(TAC index:3):81 total references
TurboDownload(TAC index:8):21 total references
Verticity(TAC index:3):4 total references
WhenU(TAC index:10):118 total references
Win32.Adverts.TrojanDownloader(TAC index:6):7 total references
Win32.Turown.h(TAC index:6):1 total references
Windows(TAC index:3):1 total references
Virtumundo(TAC index:10):8 total references
Visicom Media(TAC index:3):10 total references
WurldMedia(TAC inde ):1 total references
VX2(TAC index:10):15 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Upon reboot, the hard drive got busy again and I found more processes appearing. So I ran Trojan Hunter and came up with the following:

Registry scan

Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Optimizer (matches Adware.AvenueMedia.InternetOptimizer.100)
Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EbatesMoeMoneyMaker (matches Adware.EbatesMoeMoneyMaker.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com (matches Adware.Gator.100)
Registry value exists: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MyDailyHoroscope (matches Adware.MyDailyHoroscope.101)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Desktop\LicenseStores (matches Adware.NetSpry.100)
Registry key exists: HKEY_CLASSES_ROOT\ATLEvents.ATLEvents (matches Adware.VirtuMonde.102)
Registry key exists: HKEY_CLASSES_ROOT\ATLEvents.ATLEvents.1 (matches Adware.VirtuMonde.102)
Registry value exists: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WhenUSave (matches Adware.WhenU-Save.100)
Registry value exists: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WhenUSearch (matches Adware.WhenU-Search.100)
Registry value exists: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WhenUSearchWHSE (matches Adware.WhenU-Search.100)
Registry value and data exist: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Rundll16=C:\WINDOWS\rundll16.exe (matches ATrojan.200)

Inifile scan

No suspicious entries found

Port scan

No suspicious open ports found

Memory scan

Found trojan running in memory: C:\WINDOWS\System32\mslads.exe, PID: 1944 (Adware.PeopleOnPage.101)
Found trojan running in memory: C:\documents and settings\owner\local settings\temp\cB0zc1V6.exe, PID: 532 (Adware.StatBlaster.100)
Found trojan running in memory: C:\WINDOWS\System32\mspptnet.exe, PID: 664 (Adware.PeopleOnPage.102)

File scan

Found trojan file: C:\Documents and Settings\Owner\Desktop\backups\backup-20041018-164019-293.dll (Adware.VirtuMonde.104)
Found trojan file: C:\Documents and Settings\Owner\Local Settings\Temp\adlinstallwin32.exe/74IqjJOc.exe (Adware.SecondThought.115)
Found trojan file: C:\Documents and Settings\Owner\Local Settings\Temp\bkinst.exe (Adware.VirtuMonde.103)
Found trojan file: C:\Documents and Settings\Owner\Local Settings\Temp\cB0zc1V6.exe (Adware.StatBlaster.100)
Found trojan file: C:\Documents and Settings\Owner\Local Settings\Temp\F.dll (Adware.MidAddle.100)
Found trojan file: C:\Documents and Settings\Owner\Local Settings\Temp\thin-116-1-x-x.exe (Adware.BetterInternet.100)
Found trojan file: C:\Documents and Settings\Owner\Local Settings\Temp\WildWinTracker.exe (Adware.NetSpry.100)
Found trojan file: C:\Program Files\Common Files\CMEII\GStore.dll (Adware.Gator.100)
Found possible trojan file: C:\Program Files\HPSelect\qfl2001\Quicken Family Lawyer 2001\FL_2001.EXE (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found trojan file: C:\WINDOWS\SYSTEM32\cabinet4.exe (Adware.BatMeter.100)
Found trojan file: C:\WINDOWS\SYSTEM32\mslads.exe (Adware.PeopleOnPage.101)
Found trojan file: C:\WINDOWS\SYSTEM32\mspptnet.exe (Adware.PeopleOnPage.102)
Found possible trojan file: C:\WINDOWS\SYSTEM32\mssocks32.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found trojan file: C:\WINDOWS\SYSTEM32\setup_silent_25207.exe (Adware.MyDailyHoroscope.102)
Found trojan file: C:\WINDOWS\SYSTEM32\setup_silent_26222.exe (Adware.MyDailyHoroscope.102)
Found trojan file: C:\WINDOWS\SYSTEM32\thin-94-2-x-x.exe (Adware.BetterInternet.100)
14 trojan files found
2 possible trojan files found

Note the item in bold red. I'll say more about it in a few paragraphs.

I next ran CWShredder 2.0 and removed one item, then I booted into Safe Mode and ran SS&D (which detected more items), and again ran Ad-Aware and Trojan Hunter. Then I ran HijackThis 198.2 followed by a full scan by McAfee that subsequently detected and cleaned the Adware.Quadro infection plus some bad scripts. Everything looked good from HJT except for one item; I could not get rid of an .ini command that approximated the following:

(F1)Reg.ini Shell Explorer.exe C:\WINDOWS\SYSTEM32\mssocks32.exe

This was the compromised shell detection that Ad-Aware could not remove and the suspicious file reported by Trojan Hunter. I received an "Access Denied" message when attempting to delete the mssocks32.exe file so I tried editing the Shell entry in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. It promptly reset itself within a microsecond. Finally, I decided to go for broke. After backing up the registry for the fourth time, I located the file in C:\Windows\System32 and decided to rename it "bad.old." So far, so good.

Next was the test; time to reboot. Would I be successful or had I killed the operating system?

Victory! (sort-of)

After a suspenseful 30-40 second freeze at the welcome screen, a message appeared warning that the mssocks32.exe file could not be found. I clicked Okay and the OS finished loading. I then went to the registry and modified the Shell entry to "Explorer.exe". It worked!

I rebooted and found everything to be nearly normal. Next step was to install SP2 and some other updates and now the computer runs pretty good. However, the new Ad-Aware defs picked up some more MidAddle entries and one Booked-Spaced file in System32. So I'm going to monitor things for another 12 hours or so.

Giant AntiSpyware

I decided this machine was a perfect candidate so I added the trial version of Giant AS. It found 24 more items. Based on scan results, much of it was simply sitting in folders I should have noticed. But there was at least one active process that it picked up.

Here is an image of Giant showing some of what it detected. Note MidAddle, which was causing problems earlier.




Format or not?

In case you're wondering why I didn't reformat, it's because HP stores the OS setup on a hidden partition and does not supply a CD. I've already witnessed where such an arrangement can under certain conditions carry infections forward from memory.

About McAfee

Now for an observation and questions for you McAfee users. Once the overload of malware was better controlled, VirusScan was able to run decently and detect and remove Adware.Quadro. Once removed, I could observe the computer in a normal state.

I notice that after loading, the hard drive pauses and then begins some activity. Checking Task Manager shows McAfee modules and Winlogon and one of the Svchost modules to be quite active. This lasts for about 90 seconds and then things get quiet and the computer becomes more responsive. Also, VirusScan scans quite slowly and basically takes over this computer. But from what I've read, it is a very thorough scan.

Is all I've just described common behavior for VirusScan 8.0? For those of you who use VirusScan or the full Security Suite with 512 megabyte systems, does VirusScan noticeably impact performance?

WOW

reminds me that a few weeks ago my boss complained his laptop had slowed to a halt,on inspection he had no anti virus software,no adaware,no firewall,no security of any kind....and this machine was going on to the company server,(shudder!! ).
when i eventually got to load on AVG free it reported 165 virii,and adaware hundreds of bugs....thought it was the worst i'd seen,but man does this one of yours beat all!!

frankly i thought my boss an irresposible fool,but that's being nice!! i have to put up with him!!



John

Well you're going to get all the "McAfee is a virus" posts. However I've used it since Win 3.1 and like it. I currently have v.8.0 on this system and have noticed no impact on performance. What you are seeing is not normal in my experience.

MSU

Thanks for your reply.

It is also possible that some of HP's management utilities may be part of this. I've seen such behavior on some of their older machines regardless of which AV was installed.

This computer had Nvidia's display drivers installed in Ad-Remove programs and also had Intel's display applet and S3's applet onboard. I have no idea why they were installed since the onboard video adapter is an integrated SiS product.

Well Allyn, I think you've set a new record smashing the one on my brother's computer I had the pleasure to help him with a month or so ago. On his, we found 25 or so separate infestations of various adware, toolbars and trojan apps and individual files, folders & entries in the hundreds. In his case, he preferred the clean-out routine as opposed to a format (the easier route, IMHO) so that's what we did. Prior to that, he had no malware protection whatsoever beyond his NAV but now runs several. The lesson is, it's a lot smarter to prevent this stuff than clean up the aftermath.

>The lesson is, it's a lot smarter to prevent this stuff than clean up the aftermath.

Unfortunately, there is resistance to proper security among a minority of the residents of my community. There are some who still think that Norton Antivirus is all they need and believe people like me are alarmists.

Oh, well. I'll be glad to charge them to repair their computers.

Sounds like job security to me

MSU

Malware and McAfee. Is there some distinction here I'm missing?

Shelly

Shelly, I've been patiently awaiting your comment!

>Malware and McAfee. Is there some distinction here I'm
>missing?

Well they both start with an M and end with an e.... other than that they're pretty similar, the latter being just one letter shorter.

Allyn,

Great job in whipping that beast back into shape. Hate to see what his/her final bill was... did you charge any extra for the added aggrevation?

>Great job in whipping that beast back into shape. Hate to
>see what his/her final bill was... did you charge any extra
>for the added aggrevation?

No. And in retrospect, I still didn't charge enough. I have a tendency to get too sympathetic when the repair bill gets close to what a new "economy" box would cost.

Good job Allyn!
The owner could have installed 1 program to prevent almost all of that. SpywareBlaster. But like Shelly said, most owners just buy a computer, hook it to a phone line, and go with it. Most are illiterate and clueless as to what's out there.

>No. And in retrospect, I still didn't charge enough. I have
>a tendency to get too sympathetic when the repair bill gets
>close to what a new "economy" box would cost.

Don't feel too bad. If they bought a new PC, they would have to hire you to transfer all their data, install their programs and setup their email. The other possibility would be that they don't hire you to setup the new PC, but then it gets infected with the same kinds of things in a few months because they didn't know they had to do an initial launch of the McAfee or Norton that gets installed on the retail machines to get it to receive regular updates.

One way or another these people will end up paying. I'm not trying to blame them, but most PC users have no idea about maintenance and security issues.

Shelly, I have to disagree with you here. The same type of posts occur often at DSLReports, only with NAV as the resident AV. I don't think it is fair to expect an AV to protect against adware-spyware. AVs are not primarily designed to protect against that type of malware. Not only that, but it's clear from this rather gross example that this PC was abused and the person did not observe healthy security practices. Maybe surfed a lot of warez, porn, and otherwise sleazy places on the Net that are teeming with this Crap.

The reason I say this is that I know McAfee is an excellent AV, {even though I'm known to be a Norton Loyalist}; in some ways McAfee is better than NAV, it has much better runtime-unpackers and scores a detection rate on several tests that rival Kaspersky which I regard as the absolute best AV in terms of detection.

No AV will protect against this sort of spyware Crap, especially on a PC that is abused by someone who has no clue about Basic Security. Also, although I do think IE can be configured and used safely, maybe this person could start by using Mozilla, Opera, Firefox -- to avoid the driveby downloads that use ActiveX vulnerabilities.

I have just come from a Board {DSLReports} where I felt there is too much NAV-Bashing and false blame going on. Let's not do the same thing here, just because someone uses a different AV from our own pet preferences .. OK? Thanks Guys ..

Again, I think the problem lies squarely with the clueless person(s) who abused this PC, not with their AV ... JMHO

I never said that McAfee was responsible for any of it. Although there were a slew of trojans involved, and some viruses. My comment was to indicate that I see little if any difference between McAfee and other varieties of malware. There can be no argument that the condition of the computer was a result of the actions, or lack of them, by the computer owner. Unfortunately, the vast majority of computer owners are cyber illiterate, and having McAfee as your only line of defense is suicidal.

Shelly

>...and having McAfee as your only line of defense is suicidal.

In my opinion, having ANY anti-virus as your ONLY line of defense is suicidal.

Acadia

>>...and having McAfee as your only line of defense is
>suicidal.
>
>In my opinion, having ANY anti-virus as your ONLY line of
>defense is suicidal.
>
>Acadia

Well Said, that's why I mentioned having seen several such similar threads on the other Board, only with NAV as the sole defense, and believe me, NAV did just as miserably there as McAfee did here. Really no security software {AV/AT/AS} will protect a clueless user from his own stupidity, excuse my bluntness ..

>I received an "Access Denied" message when attempting to
>delete the mssocks32.exe file so I tried editing the Shell
>entry in the registry at >color=black]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>NT\CurrentVersion\Winlogon. It promptly
>reset itself within a microsecond.

Allyn,

Sounds like you did a heck of job in cleaning that infested PC. I'd like to follow your train of thought here... how did you know that deleting the mssocks32 file would work? And when you say "promptly reset itself..." - what file are you referring to?

Actually, I didn't know if would work. I was at the point where I was about to attempt a reformat, dismissing any concerns over HP's restore procedure. But I also felt I was close to getting this computer back to a reliable, workable state. Remembering how much grief VX2 gave me before Lavasoft released their VX2 Cleaner Plug-in, I decided to go ahead and gamble that this bug could not be as bad or as hard to get rid of as the "malignant" form of VX2. Bless Lavasoft for their VX2 Cleaner!

To clarify what happened, here is an excerpt from the first post. The .ini line from HijackThis was not copied anywhere. It's what I best recall from the HijackThis log.

Everything looked good from HJT except for one item; I could not get rid of an .ini command that approximated the following:

(F1)Reg.ini Shell Explorer.exe C:\WINDOWS\SYSTEM32\mssocks32.exe

This was the compromised shell detection that Ad-Aware could not remove and the suspicious file reported by Trojan Hunter. I received an "Access Denied" message when attempting to delete the mssocks32.exe file so I tried editing the Shell entry in the registry at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

Name = Shell
Data = Explorer.exe C:\windows\system32\mssocks32.exe

Note that standard Windows configuration for the above key is

Name = Shell
Data = Explorer.exe

All I wanted to do was delete C:\windows\system32\mssocks.32 from the Data field and leave Explorer.exe.

Obviously, the key was being monitored to prevent modification as some process restored the key back to its compromised data configuration as soon as I closed and reopened the key. In other words, I could not modify the key!

Also, I could not delete the mssocks32.exe file even when I changed its name to bad.old. So I decided to reboot and see what happens. If it did not work, it was also possible that the computer might not be bootable, depending on how certain security settings were configured. As it turned out, Windows XP started up, though with a suspenseful delay. Protection for the Shell registry key was gone and I was able to set the key to the default data Explorer.exe.

I removed the renamed mssocks32.exe file and have it ready to send to Mischel and to Lavasoft for analysis.

EDIT: I have a hunch what this file is. I believe it's related to the RAT malware reported by Giant AntiSpyware. This compromised entry to the Winlogon key may have allowed the remote controller to work via command.exe (it may have been command.com but it was not a Microsoft DOS file) planted in the root folder. This was removed by Giant AS. I observed the file and was so burned out that I missed its significance. The real Command.com is is System32 in Windows XP.

Good Show Allyn, you can send that sample to:

submit@misec.net
avsubmit@symantec.om
submit@diamondcs.com.au
Virus_Research@avertlabs.com

and if not too much trouble, I would appreciate a copy. {PM for address}. I think the AVERTlabs requires you to zip up a copy of the sample and apply a password of "infected". I mentioned AVERT since McAfee is the AV in question here, and they most probably would like a look at it.

Warmly, Ran