Green AV Removal
I came across another variety of these rogue antivirus programs today. This one was called Green AV. Just like most of these other rogue antivirus programs, this program loaded itself at startup. There was a large window that opened and told you that your computer was infected badly.
The Rogue program was blocking the computer from accessing the internet through internet explorer. It just kept trying to sell its own antivirus product.
AVG was detecting a Trojan horse BHO.JOZ The infected file was c:\winodes\system32\wuholove.dll
AVG also detected
Trojan horse SHeur2.BAGH in c:\blyuwrjl.exe
Virus found Win32/Heur in c:\windows\system32\judopuje.exe
Trojan horse BHO.JOZ in c:\windows\system32\fefiweta.dll
Trojan horse Agent2.QLS in c:\osps.exe
I had to download some removal tools on another computer because this particular computer wouldn’t get online at first. I downloaded them to a thumb drive and copied them over to the infected computer’s desktop with the computer in safe mode. I changed the name of the executable file because this infection also appeared to interfere with the operation of combofix otherwise.
I ran the downloaded the latest version of the combofix utility to see if it would have any effect. It found and deleted a whole bunch of malware.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\-1996584367
c:\documents and settings\All Users\Application Data\12005934
c:\documents and settings\All Users\Application Data\12005934\12005934
c:\documents and settings\All Users\Application Data\12005934\12005934.exe
c:\documents and settings\All Users\Application Data\12005934\pc12005934ins
c:\documents and settings\All Users\Application Data\gra\WSTEch.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\fyblb.exe
c:\windows\Installer\1bf99f.msi
c:\windows\Installer\9f787c.msp
c:\windows\msa.exe
c:\windows\system32\~.exe
c:\windows\system32\bihorugi.dll
c:\windows\system32\drivers\UACndlkmkkjbo.sys
c:\windows\system32\kewevuro.dll
c:\windows\system32\kutakobi.dll
c:\windows\system32\niwogepi.exe
c:\windows\system32\UACwkaaqjbatj.dll
—– BITS: Possible infected sites —–
hxxp://s250.photobucket.com
hxxp://i250.photobucket.com
hxxp://s271.photobucket.com
hxxp://i271.photobucket.com
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from – c:\windows\system32\logevent.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
——-\Legacy_UACD.SYS
——-\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
——-\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
——-\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
2009-08-30 19:23 . 2009-08-30 19:23 49152 —-a-w- C:\blyuwrjl.exe
2009-08-30 19:23 . 2009-08-30 19:23 6510 —-a-w- C:\emxtqjit.exe
2009-08-30 19:23 . 2009-08-30 19:23 17920 —-a-w- C:\osps.exe
2009-08-30 18:53 . 2009-09-03 14:32 ——– d—–w- c:\documents and settings\All Users\Application Data\gra
2009-08-30 17:30 . 2009-08-30 17:30 ——– d-sh–w- C:\found.000
2009-08-30 01:00 . 2009-07-09 16:16 39424 —-a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-30 01:00 . 2009-07-09 16:16 2060288 —-a-w- c:\windows\system32\usbaaplrc.dll
2009-08-23 04:38 . 2009-06-29 16:12 17408 ——w- c:\windows\system32\dllcache\corpol.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-09-03 14:08 . 2009-06-03 14:08 88064 –sha-w- c:\windows\system32\yowokifo.dll
2009-09-03 14:07 . 2008-12-11 16:17 ——– d—–w- c:\program files\LogMeIn
2009-09-02 19:48 . 2008-12-11 15:33 ——– d—–w- c:\program files\SAAZOD
2009-09-02 19:46 . 2009-06-02 19:46 49152 –sha-w- c:\windows\system32\godamuwe.dll
2009-09-02 19:45 . 2007-07-17 03:17 256 —-a-w- c:\windows\system32\pool.bin
2009-08-30 20:34 . 2009-05-30 20:34 209408 –sha-w- c:\windows\system32\wuholove.dll
2009-08-30 20:34 . 2009-05-30 20:34 209408 –sha-w- c:\windows\system32\fefiweta.dll
2009-08-19 17:05 . 2007-12-09 18:40 ——– d—–w- c:\program files\Apple Software Update
2009-07-31 01:15 . 2009-03-31 19:10 11952 —-a-w- c:\windows\system32\avgrsstx.dll
2009-07-31 01:15 . 2009-03-31 19:10 335240 —-a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-31 01:15 . 2008-12-11 15:17 27784 —-a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-28 04:56 . 2007-01-18 19:48 ——– d—–w- c:\program files\Common Files\Symantec Shared
2009-07-26 23:12 . 2009-07-26 23:12 664 —-a-w- c:\windows\system32\d3d9caps.dat
2009-07-26 22:02 . 2009-07-26 22:02 ——– d—–w- c:\documents and settings\All Users\Application Data\Norton
2009-07-26 22:02 . 2009-05-30 00:03 ——– d—–w- c:\program files\Norton Security Scan
2009-07-26 22:01 . 2007-01-18 19:48 ——– d—–w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-26 22:01 . 2009-07-26 22:01 ——– d—–w- c:\program files\NortonInstaller
2009-07-26 22:01 . 2009-07-26 22:01 ——– d—–w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-29 16:12 . 2004-08-11 23:00 827392 —-a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-11 23:00 78336 —-a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-11 23:00 17408 —-a-w- c:\windows\system32\corpol.dll
2009-06-02 19:46 . 2009-06-02 19:46 49152 –sha-w- c:\windows\system32\jojilite.dll
2009-05-30 20:34 . 2009-05-30 20:34 831012 –sha-w- c:\windows\system32\judopuje.exe
2009-06-02 19:46 . 2009-06-02 19:46 49152 –sha-w- c:\windows\system32\zuyisuro.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2235a3f-16e7-4bcf-9bf6-219f06374acc}]
2009-06-02 19:46 49152 –sha-w- c:\windows\system32\zuyisuro.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“AIM”=”c:\program files\AIM\aim.exe” [2006-08-01 67112]
“IncrediMail”=”c:\program files\IncrediMail\bin\IncMail.exe” [2008-06-12 243072]
“MSMSGS”=”c:\program files\Messenger\msmsgs.exe” [2008-04-14 1695232]
“ISUSPM”=”c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe” [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=”c:\program files\Java\jre1.5.0_06\bin\jusched.exe” [2005-11-10 36975]
“ATICCC”=”c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe” [2006-05-10 90112]
“SynTPEnh”=”c:\program files\Synaptics\SynTP\SynTPEnh.exe” [2006-09-22 761947]
“Dell QuickSet”=”c:\program files\Dell\QuickSet\quickset.exe” [2006-08-23 1032192]
“Broadcom Wireless Manager UI”=”c:\windows\system32\WLTRAY.exe” [2005-12-19 1347584]
“DVDLauncher”=”c:\program files\CyberLink\PowerDVD\DVDLauncher.exe” [2005-12-10 49152]
“RealTray”=”c:\program files\Real\RealPlayer\RealPlay.exe” [2007-01-18 26112]
“DLA”=”c:\windows\System32\DLA\DLACTRLW.EXE” [2005-09-08 122940]
“ISUSPM Startup”=”c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2006-09-11 218032]
“ISUSScheduler”=”c:\program files\Common Files\InstallShield\UpdateService\issch.exe” [2006-09-11 86960]
“Google Desktop Search”=”c:\program files\Google\Google Desktop Search\GoogleDesktop.exe” [2008-12-07 29744]
“RoxWatchTray”=”c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe” [2007-03-26 228088]
“QuickTime Task”=”c:\program files\QuickTime\qttask.exe” [2008-02-01 385024]
“iTunesHelper”=”c:\program files\iTunes\iTunesHelper.exe” [2008-02-04 267048]
“Symantec PIF AlertEng”=”c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe” [2008-01-29 583048]
“LogMeIn GUI”=”c:\program files\LogMeIn\x86\LogMeInSystray.exe” [2007-08-03 63048]
“AVG8_TRAY”=”c:\progra~1\AVG\AVG8\avgtray.exe” [2009-08-12 2007832]
“29837465982736455″=”c:\documents and settings\All Users\Application Data\gra\mradll.exe” [2009-08-28 90791]
“denitaramo”=”c:\windows\system32\jojilite.dll” [2009-06-02 49152]
“jijuhigom”=”c:\windows\system32\yowokifo.dll” [2009-09-03 88064]
“SigmatelSysTrayApp”=”stsystra.exe” – c:\windows\stsystra.exe [2006-09-22 282624]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk – c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
America Online 9.0 Tray Icon.lnk – c:\program files\America Online 9.0\aoltray.exe [2007-1-18 156784]
Desktop Manager.lnk – c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-3-28 1283608]
Digital Line Detect.lnk – c:\program files\Digital Line Detect\DLG.exe [2007-1-18 24576]
Service Manager.lnk – c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-4 81920]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
“{48ff25d3-2d8c-4517-9d85-b474423cc730}”= “c:\windows\system32\yowokifo.dll” [2009-09-03 88064]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= “c:\program files\SUPERAntiSpyware\SASSEH.DLL” [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
“kurakuyik”= {48ff25d3-2d8c-4517-9d85-b474423cc730} – c:\windows\system32\yowokifo.dll [2009-09-03 88064]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 20:28 352256 —-a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 01:15 11952 —-a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-12-11 16:20 87352 —-a-w- c:\windows\system32\LMIinit.dll
SuperAntiSpyware found a number of other malware entries to remove including:
Adware.Vundo/Variant-[Fixed]
Adware.Vindo/Variant-QHeader
Trojan.Vundo-Variant/NextGen
Adware.Tracking Cookie
Rogue.Anti-Virus-1
Trojan.Agent/Gen
Adware.Vundo/Variant-EC
The two tools I used to remove this infection effectively were Combofix and the professional version of SuperAntispyware. I highly recommend SuperAntispyware for ongoing proactive protection. Combofix is useful only after you are infected with this type of threat.
People need to be more careful about what types of websites they are visiting. Most people are way to exposed to rogue antivirus programs like Green AV.
