Massive spyware/trojan/keylogger problem

[Lynx190]

First off, I have to mention that despite using IE, in 8 years I have never experienced any major issues with viruses or spyware, despite going about 5 of those years without even an antivirus program, just occasional scans with free programs (which never turned up any more than minor problems). I configure my settings properly and am careful what sites I visit (if I'm going someplace highly questionable I switch to Firefox).

But just tonight, when I tried to view Animesuki's page for the Kodomo no Jikan torrents, my Norton warned me that it blocked a browser exploit; this was the "MSIE ADODB.Stream Object File Installation Weakness" warning that I've gotten several times sporadically in the past on seemingly harmless websites (including AS before) and nothing ever happened afterwards. This time though, my computer got bombarded by a massive number of spyware programs installing (those ones that tell you that you have spyware and to install their bogus spyware removal program), changing my desktop, disabling Task Manager... Norton seemed to block them from connecting to the internet afterwards, but did nothing to stop them from installing, a quick scan wouldn't even reveal them.

I installed and scanned with Spy Sweeper at my dad's advice, it turned up a bunch of crap including a keylogger (!!) which meant I sure as hell wasn't going to enter my credit card info to pay for Spy Sweeper to actually remove the stuff. So I downloaded Spybot and scanned and deleted, but it all just reinstalled itself. My dad ended up lending me his copy of Spy Sweeper and bought another license himself so I could use it... scanned and quarantined/deleted but again everything reinstalled itself. I went into the registry and re-enabled Task Manager (before the spyware disabled it again) but couldn't find any blatant spyware in the system processes. Right now the keylogger and a dialer (lol, not like that one affects me) are being repeatedly quarantined as they try to reinstall, but the other popup crap is still going on.

I'm checking various help sites for this kind of thing, and found someone who posted a few hours ago with the exact same problem, so it sounds like it might be something brand-new that there's no defense against at the moment. I'm going to try checking around some more then I'll fire up a full system scan while I go to bed. I know this isn't exactly the ideal site to go to for help on this kind of thing, but I'm posting it here because the whole thing started with visiting one of the torrent listings here :/

[Jinto]

Animesuki is not responsible for the trackers, though if there is a malicious one, I bet the Animesuki staff would want to know. Since they are not interested in promoting such trackers.

Regarding your problem. If you can boot up in Safe Mode of Windows and do the scan there.
After this you could use the following tool:

hijackthis

On this site there is also a bunch of other usefull tools, like the cws shredder. I'ld advice to run at least one further tool the CWS shredder.

Hijackthis will give you a log. If you post the log here (in a spoiler). We could try to figure out whats wrong. Or you can use those sites that automatically analyse your Hijackthis log file if you don't feel like posting this here.

I wish you much sucess on fixing your system.

[Lynx190]

Spywareinfo is actually where I just was, I had to download AVG first so I could get all the "before-you-post-your-problem" steps done before posting on the forums there, and just finished the scan with that.

And I never touched a tracker, it hit as soon as I went to AS's listing of episodes (with links to the torrents but I never clicked one). It doesn't make sense that I'd be getting something like that just by browsing AS, but that's what happened... and like I said it's not the first time Norton has given me warnings here (it's always on the series pages, never on the forums or anywhere else); it might be related to AS pulling info from the trackers on those pages, that's the only explantion I can think of. The difference between this time and all the others is my computer got bombarded by spyware this time, while before I just shrugged and assumed Norton was falsely detecting a threat. (I'm usually one of the first to laugh at people who go to website forums and complain "OMG your site gave me a virus because my antivirus said so!" because their security is set excessively high or something).

[grey_moon]

Hmmm unless the admin have cleaned it up, I'm not getting any hits from as/knj torrrent summary page. I'm running outpost fw 2008 with as, nod32 and avg as. I've still got a licence of spyware sweeper kicking around but I don't really want to bloat my xp machine any more then it is, as I use it for games more then anything else.

Is your pc fully patched? I wonder could you have been infected earlier just happened to get the warning when u browsed to that page?

[Lynx190]

I keep everything up-to-date, have ActiveX settings properly secure, etc. I was figuring it was most likely I picked up something earlier and it decided to install right then by coincidence, but the fact that it happened right after that browser exploit warning that I've gotten several times before on AS seemed rather odd.

I posted here: http://forums.spywareinfo.com/index....=0#entry620219

Someone else posted with the exact same problem like 15 minutes before I got that crap, I'm suspecting it's something new that none of the anti-spyware programs have updates for yet. As I said there, I'm going to bed now, leaving Norton scanning, see what happens tomorrow. So pissed, I've wasted nearly 8 hours on this crap (well, I finally had a reason to go play my PS2 that's been collecting dust while I was letting AVG scan, but most of the rest of the time was at my computer working on fixing this)

[Sci-Fi]

Should turn off "system restore", if you haven't already, to make sure it doesn't come back through that route. Starting up in safe mode and then running your anti-virus/spyware removers/trojan scanners tends to work better, although it takes longer, since only the basics are loaded.

[Jinto]

In Windows save mode, delete the following files first in explorer. Then run HJT and delete these entries (better run HJT before, to check if there new such dll's that also need to be deleted):

C:\WINDOWS\system32\mgmrwmrv.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\mgmrwmrv.exe
O2 - BHO: (no name) - {c12cc8ba-1dd1-11b2-bdc2-fd61f5c44c53} - C:\WINDOWS\pmjydmfm.dll
O4 - HKLM\..\Run: [lutcvwdo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lutcvwdo.dll"


nonsense which should also be deleted:

O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)


You might also check for root kits with e.g. root kit revealer.

[Ledgem]

Quote:

Originally Posted by Lynx190

First off, I have to mention that despite using IE, in 8 years I have never experienced any major issues with viruses or spyware, despite going about 5 of those years without even an antivirus program, just occasional scans with free programs (which never turned up any more than minor problems). I configure my settings properly and am careful what sites I visit (if I'm going someplace highly questionable I switch to Firefox).

You may be able to get away with not using a virus scanner, but I sincerely hope you were using a firewall at the very least. I've heard a lot of people "boasting" that they run an unpatched, unsecured version of Windows and have never been infected, which gives me a good reason to ask how they'd know if they were infected. In my experiences you'd only know of an infection by scanning with a reputable software, or when that software starts to act strangely (because a virus modified it). People are still used to the idea that viruses cause obvious data loss or destroy their computers; they don't realize that money in the black market is derived from people who want to take control of computers without the owners having the slightest clue about it. Malware these days is made to be undetectable to the user, and unless you're monitoring your outbound connections and bandwidth usage like a hawk you'd have no way of knowing without security software to help you. That's a bit of a rant and it's not all directed at you Lynx190, but I've seen so many self-proclaimed Windows experts running around saying similar things that I want this message to be available to anyone who runs across this topic.

Spyware has also spawned its own industry of fake products and such. Be very wary of spyware software that will perform a scan and then require payment for removal - a large number of those programs are malware in and of themselves. grey_moon is familiar with Spyware Sweeper so it's fine.

Quote:

I was figuring it was most likely I picked up something earlier and it decided to install right then by coincidence, but the fact that it happened right after that browser exploit warning that I've gotten several times before on AS seemed rather odd.

It's possible that you were infected with something even earlier that modified your DNS entries. In other words, malware controls where your browser goes, regardless of the IP or URL you enter into it. This can make it even easier to get your system to download other malware.

Since you're still fixing your stuff I don't want to come off as scolding you, but please take computer security seriously. It's for your own protection and also for the rest of us - who knows if your system has been sending out spam emails to the world? My roommate's computer was overrun by something and in one night it sent out ~11,000 emails (the university gave us the exact number that were sent out before shutting his connection off). All of us here will gladly make recommendations for free security software and good computing practices (I can assure you that they extend beyond "use firefox").

[Lynx190]

I meant the first 5 of those 8 years were without an antivirus, during that time I still ran scans with anti-spyware programs, but I never had a constantly running prevention program; I've been running Norton the last few years, unfortunately this infection just blasted right past it. Mainly I was saying all that because I didn't want any snide "you're using IE, what do you expect?" comments

I deleted all that stuff in the HJT scan, but it just reappears instantly, I obviously need to find the source of the problem because everything just reinstalls itself as soon as I get rid of it. RootkitRevealer doesn't really show anything that looks like a related problem.

[bayoab]

Can you please post a current HJT scan again? The dll is probably self protecting and you will need to zero it out.

[jpwong]

I got something over Xmas that was indescribably hard to remove. Even after I managed to wipe out all the dlls, exes, registry entries and all the scanners marked my machine was clean it still had residual problem.

If it's proving hard enough to remove, you may want to consider backing up your personal files and re-installing the whole OS. It's pretty drastic, and I don't recommend it if you haven't tried out all the available removal tools, but it will wipe out the problem in most cases.

[Lynx190]

it's essentially the same as before, except those gibberish .dll's that turned up no matches on google are gone now (pmjydmfm.dll, lutcvwdo.dll)

mgmrwmrv.exe seems to be the core of the problem, because it's continuously modifying my windows startup settings, according to Norton.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:25 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mgmrwmrv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\HJT\HiJackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=5061213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=5061213
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe " -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe " /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE " /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE " /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.chaoticage.com
O15 - Trusted Zone: *.go.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.tkdragon.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9504 bytes

[bayoab]

Well, here is one semi-brute force method. Note that this is a lop.com infection according to google so you might want to look around for the most recent lop remover. (I don't remember the name of it, but it will be linked to or attached on a spyware removal site usually.) I don't see anything that could be calling regsvr32. You should be able to kill that processes without any adverse effects (and probably should do it).

*You may want to put these all in a simple folder so that they are easy to get to from the command prompt.

0) Grab pocket killbox from http://killbox.net and run it.
1) Make sure everything is closed when you start this: No running IE or explorer windows, even kill explorer.exe if you can. (use process explorer to manage everything if you can).
If you can, just have hijackthis, killbox, and process explorer running as active (stuff in the tray is fine).
2) In killbox, select "replace on reboot" and "use dummy"
3) Add the following file(s) and click the (x) (after each file). Choose not to reboot.

Quote:

C:\WINDOWS\system32\mgmrwmrv.exe

3b) Attempt to remove the following with Hijackthis

Quote:

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\system32\mgmrwmrv.exe,

4) Use process explorer to reboot and reboot into safe mode with command prompt. (The file should be replaced at this point iirc. You may get errors for trying to load a 0 byte file.)
5) Go to C:\Windows\system32\ . Do a 'dir mgmrw*' and make sure the file is 0 bytes.
6) Use the prompt to access hijackthis
7) Remove the following with Hijackthis

Quote:

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\system32\mgmrwmrv.exe,
O2 - BHO: (All of them without a name)
Any DLL's with random names that appear.

8) Use the prompt to run Killbox and Repeat step 3 with the new .dll name if there is one. Check the unregister .dll box if it allows you. If the .exe is not 0 bytes yet, re-add it.
9) Use the prompt to access process explorer and use process explorer to initiate a reboot.

Now, it should be gone and/or heavily disabled. You should add any of the random name .dll's like "C:\WINDOWS\pmjydmfm.dll" to the killbox too if they still exist.

[Lynx190]

your advice seems to have done the trick, although I couldn't get the mgmrwmrv.exe down to 0 bytes, it's still at 56 bytes. I meant to reboot to safe mode one last time, but windows boots so fast and I looked away for a moment and missed the opportunity to F8... however when it booted up the spyware wasn't loading. I ran Spybot, then Spy Sweeper, then AVG, now about to run Malwarebytes' Anti-Malware (I keep picking up stuff that the previous one failed to catch... the big one being Absolute Keylogger that only Spy Sweeper catches... apparently it's supposed to be a "legitimate" commercial program so that's probably why). Then I'm going to reboot one last time and run another scan with at least one program. Just need to manually re-enable Task Manager in the registry and fix my wallpaper and things should be back to normal, although I'll probably have some leftover garbage that won't do anything on it's own.

EDIT: Malwarebytes' only detected orphaned files from the spyware the other programs had removed, got rid of those and my computer appears to be clean. Thank you so much bayoab
(now I just need to figure out what anti-spyware programs to keep around so I don't have a zillion programs hogging memory... both AVG and Spy Sweeper are being annoying by staying in the processes list even if I tell them not to start automatically and shut them down completely)

I'm thinking it's highly likely I might have picked up something ahead of time (I had just run a full system scan with Norton on Friday morning though); at the time I got this infection I had just quit Utawarerumono to restart my computer because it kept slowing down massively and screwing up my combos. (It had been doing that briefly the night before too but that could have been stuff auto-updating in the background). I hadn't rebooted for quite a while so I figured I just needed to do that. Before restarting I briefly checked some websites and as soon as I hit http://www.animesuki.com/series.php/1084.html all the stuff bashed me at once.

The three warnings Norton initially gave me (all of them High Risk and labeled "A browser exploit at www.animesuki.com was blocked." and the above URL for the KnJ torrents as the attacking URL) were:

MSIE ADODB.Stream Object File Installation Weakness
MSIE WebViewFolderIcon ActiveX Control BO
MS XML Core Services XMLHTTP BO

I've gotten that first one sporadically for no apparent reason and nothing bad ever happens, this time it got followed up by the other two then the attack began. Norton seems to have blocked everything from accessing network resources (High Risk) and detected/blocked multiple trojans, but when the spyware programs started modifying my startup settings and other system settings it inexplicably flagged those as low risk and let them proceed.

[Sepiraph]

At your situation, I'd recommend to do a re-format of your computer . Start with a fresh install, then install anti-virust program like Avast, anti-malware program like Spybot and Adaware, enabled a firewall, run firefox with NoScript. That's pretty much my setup with Vista.

If you are still paranoid, you can browse from a public proxy server but that would affect the speed.

[Jinto]

Quote:

Originally Posted by Lynx190

...
I'm thinking it's highly likely I might have picked up something ahead of time (I had just run a full system scan with Norton on Friday morning though); at the time I got this infection I had just quit Utawarerumono to restart my computer because it kept slowing down massively and screwing up my combos. (It had been doing that briefly the night before too but that could have been stuff auto-updating in the background). I hadn't rebooted for quite a while so I figured I just needed to do that. Before restarting I briefly checked some websites and as soon as I hit http://www.animesuki.com/series.php/1084.html all the stuff bashed me at once.

Maybe malicious advertisment, it cannot be wrong, to inform the admins here about this issue. Explain to them what happened, link this thread and point out that maybe some advertisement was malicious. So they know there is a potential problem.

Quote:

Originally Posted by Lynx190

The three warnings Norton initially gave me (all of them High Risk and labeled "A browser exploit at www.animesuki.com was blocked." and the above URL for the KnJ torrents as the attacking URL) were:

MSIE ADODB.Stream Object File Installation Weakness
MSIE WebViewFolderIcon ActiveX Control BO
MS XML Core Services XMLHTTP BO

Which is precisely why I said, turn off ActiveX if you want to browse with internet explorer. There is no way you can make it safe.

Quote:

Originally Posted by Lynx190

I've gotten that first one sporadically for no apparent reason and nothing bad ever happens, this time it got followed up by the other two then the attack began. Norton seems to have blocked everything from accessing network resources (High Risk) and detected/blocked multiple trojans, but when the spyware programs started modifying my startup settings and other system settings it inexplicably flagged those as low risk and let them proceed.

Well, usually they should not be loaded up when Windows starts into safe mode. Therefore it should be possible to remove all the dll's and this exe there. If it does load up, there is one easy thing to really prevent it from loading up. Take a Knoppix Linux/another Windows which boots up from CD with NT-Filesystem support (NTFS) and delete the files from there. SO they really have no chance to load. One big advantage of most CD-OSes is, they use ramdisk to load, so if the malware tries to install itself into such a system it will be void with a restart, since it only installed itself into the RAM of the PC.

[grey_moon]

Quote:

Originally Posted by Jinto

Which is precisely why I said, turn off ActiveX if you want to browse with internet explorer. There is no way you can make it safe.

Sandboxie does a pretty decent job...

http://www.sandboxie.com/

[Lynx190]

thanks for the continued advice, but as the first two paragraphs of my last post said, bayoab's directions got rid of the core problem and let me wipe out the lingering spyware without it reinstalling anymore. So everything is fine now

As for the ActiveX thing, I have it set to "Download unsigned ActiveX controls" > Disable, and "Download signed ActiveX controls" > Prompt, and "Initialize and script ActiveX controls not marked as safe" > Disable. I suppose it might have spoofed itself as a safe control, the scripting of which are set to Enable; however as I just said the two download options are on Disable and Prompt, so it shouldn't have been automatically downloading any ActiveX control to begin with.

[bayoab]

Quote:

Originally Posted by Sepiraph

At your situation, I'd recommend to do a re-format of your computer . Start with a fresh install, then install anti-virust program like Avast, anti-malware program like Spybot and Adaware, enabled a firewall, run firefox with NoScript. That's pretty much my setup with Vista.

If you are still paranoid, you can browse from a public proxy server but that would affect the speed.

There is always wipe and reload but what is the fun in that.
Beside, if you don't have the right setup for reloading, you might get nailed by a virus while repatching. If you are worried, there are always tricks and tools you can run to monitor what is actually leaving your computer and warn you if you are still at risk. (Leaving the computer alone on a hub with wireshark watching the hub.)

Quote:

Originally Posted by Lynx190

The three warnings Norton initially gave me (all of them High Risk and labeled "A browser exploit at www.animesuki.com was blocked." and the above URL for the KnJ torrents as the attacking URL) were:

MSIE ADODB.Stream Object File Installation Weakness
MSIE WebViewFolderIcon ActiveX Control BO
MS XML Core Services XMLHTTP BO

These are all old exploits which is what makes this kinda strange. If your system is really fully patched, these shouldn't have been a problem. It is likely none of these actually got you, but something else did. It is common for exploit authors to include tons of exploits in one attempt. You should go through and reset all your security settings and then manually do them. I've seen malware which drops stuff in the registry that overrides the buttons. (No scanner picks these up because they are legitimate, but completely insecure.)

Quote:

I've gotten that first one sporadically for no apparent reason and nothing bad ever happens, this time it got followed up by the other two then the attack began. Norton seems to have blocked everything from accessing network resources (High Risk) and detected/blocked multiple trojans, but when the spyware programs started modifying my startup settings and other system settings it inexplicably flagged those as low risk and let them proceed.

Norton's detections have always been bizzare and wonky. If you can, always make it so the program asks you what to do. It's automated scripts don't know the difference between a worm and a ftp transfer. (Start a mass ftp and watch the worm alert go off.)

[Jinto]

Quote:

Originally Posted by grey_moon

Sandboxie does a pretty decent job...

http://www.sandboxie.com/

I doubt it is possible to decently sandbox devices like ActiveX, which are more of a core component than e.g. Freecell without disabling too much of its functionality. Though I have no idea how this applies for Vista, there it might work better, since the whole system is prepared for sandboxing.
Its not the normal use of ActiveX that is dangerous, its exploits which usually override normal system behaviour (partial sandboxing could be overridden too)