Charlene Infection on April 30, 2007

A user reported that popup windows were appearing on her system on April 30, 2007 advising her to download antivirus software. When I opened Internet Explorer, I saw a window pop up with the following warning:

Microsoft Internet Explorer
Warning!

W32.Myzor.FK@yf is a virus that infects files with .exe extensions. It attempts to steal passwords
and private information from the infected comupter.

Type:Virus
Infection Length:138,293
Systems Affected:Windows 95, 98, ME, NT (all versions), 2003, Windows XP (all service packs)
Systems Not Affected: DOS, EPOC, Linux, Macintosh, Novell Netware, OS/2, UNIX
Technical details:
  1. Creates files in %Windir%\ directory. By default, this is C:\Windows.
  2. Adds values to registry keys:
    HKEY_LOCAL_MNACHINE\Software\Micrsoft\Windows\CurrentVersion\Run
  3. Scans the hard drive for .exe files and infects any executable files.
    Searches for passwords/information, which it may send to a remote attacker.
Recommendations:Click "OK" to download officially approved security software.
Always keep your patch levels up-to-date


OK     Cancel

The warning was made to look like it was coming from an antivirus program, but it doesn't mention any specific infected file nor does it mention what files are placed in %Windir% nor specific registry values created in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

Note, I did not misspell "machine" in HKEY_LOCAL_MNACHINE in the warning window. It actually appeared as "mnachine" in the warning window.

Behind that window was the Internet Explorer window. It had opened to http://aprotectservice.com/, with a window title of "Security Center". On the left side of that window, under "Official Parners" were a list of "security" products, as shown below. I would definitely recommend that any of the products listed below in the "Official Partners" section not be used.

 Official Partners
  • Spy Heal
    SpyHeal is the Latest and Most Advanced Spyware Detection and Removal application on the Internet. We will prevent anyone from "spying" on your Internet activites.

  • Pest Capture
    Most popular spyware/adware cleaner software all over the world. Cleans all known viruses and worms.

  • Antivirus Golden
    AntivirusGolden is one of the most technologically advanced Spyware removal and protection software in the world today.

  • Malware Wiped
    Became one of the most popular programs very fast. It`s really easy to use and at the same time very effective.

  • Warning! Do not use any of the antivirus programs listed under "Official Partners". These were being advertised on an infected system. I would certainly not partner with any of them

    The Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites list of dubious antispyware products contains the following information about these rogue antisypware applications.

    SpyCrush spycrush.com aggressive, deceptive advertising (1,2); same app as SpyDawn, SpyHeal, SpywareQuake, VirusBurst, & VirusBursters [A: 3-7-07 / U: 3-7-07]
    Brave Sentry bravesentry.com aggressive advertising, desktop hijacking (1, 2); false positives work as goad to purchase; inadequate scan reporting; same app as DIARemover, MalwareAlarm, Mr.AntiSpy, PestCapture, PestTrap, PestWiper, SpyDemolisher, SpyMarshal, SpySheriff, SpyTrooper, SpywareNo, & Spyware-Stop [A: 3-9-06 / U: 3-9-06]
    AntiVirus Gold /
    AntiVirus Golden
    antivirus-gold.com
    antivirusgolden.com
    aggressive advertising, desktop hijacks (1, 2, 3, 4, 5, 6, 7, 8); false positives work as goad to purchase; uses inadequate scan/detection scheme; same app as AdwareDelete, MalwareWiped, SpyAxe, SpyFalcon, SpyLocked, Spyware Sheriff, SpywareStrike, TitanShield AntiSpyware, & VirusBlast [A: 6-2-05 / U: 6-13-06]
    MalwareWipe / MalwareWiper / MalwareWiped malwarewipe.com
    malwarewiped.com
    aggressive, deceptive advertising; uses flawed, inadequate detection scheme; same app as AdwareDelete, AntiVirus Gold, SpyAxe, SpyFalcon, SpyLocked, Spyware Sheriff, SpywareStrike, TitanShield AntiSpyware, & VirusBlast [A: 12-28-05 / U: 12-26-06]


    SpyHeal is listed as being the same application as SpyCrush. Pest Capture is the same as Brave Sentry. Antivirus Golden is listed as being the same as Spyware Sheriff and Malware Wiped.

    I updated the malware definitions for Bazooka Sypware Scanner 1.13.03 and checked the system with it. It did not detect anything. I then updated the malware database for Spybot Seach & Destop 1.4. It found the following ( Report ):

    ProblemKind
    FunWeb 15 entries
    FunWebProducts 56 entries
    Microsoft.WindowsSecurityCenter.AntiVirusOverride 1 entries
    MyWay.MyWebSearch 66 entries
    MyWebSearch 21 entries
    TagASaurus 1 entries
    Zlob.VideoAccessActiveXObject 1 entries

    Spybot listed a screensaver, f3PSSavr, as an executable for FunWebProducts. I found a FunWebProducts folder under C:\Program Files. The zipped contents of that folder are here.

    When I switched to advanced mode in Spybot and looked at the BHOs, I saw details on the one for MyWebSearch Search Assistant BHO. I found a MyWebSearch folder under C:\Program Files. The zipped contents of that folder are here

    Though TagASaurus was listed as a trojan, the only entry Spybot listed for it was a cookie.

    When I attempted to open an HTML file on the PC from a link in a document without realizing that the filename was misspelled, I also saw a warning appear in Internet Explorer that "The page you are looking for is probably blocked by adware/spyware on your PC. Remove it with System Doctor software. CLICK HERE."

    I had Spybot fix all of the problems, except the Microsoft.WindowsSecurityCenter.AntiVirusOverride issue, since I believe that was modified by the antivirus software on the system, so that it could manage notifications. When I opted to fix the problems, I saw the message below.

    Some problems couldn't be fixed; the reaon could be that the associated files are still in use (in memory).
    This could be fixed after a restart.
    May Spybot-S&D run on your next system startup?

    I chose to restart the system. I then saw a message that 159 problems were fixed, but 1 problem could not be fixed. Spybot was apparently unable to delete C:\Program Files\MyWebSearch. When I looked in the folder, I found several DLL files still remaining in its subfolders.

    When I checked on what process had the MWSBAR.DLL DLL file, which is located in C:\Program Files\MyWebSearch\bar\3.bin loaded, I found it was explorer.exe.

    C:\Documents and Settings\Administrator>tasklist /m /fi "modules eq mwsbar.dll"
    
    Image Name                   PID Modules
    ========================= ====== =============================================
    explorer.exe                2696 ntdll.dll, kernel32.dll, msvcrt.dll,
                                     ADVAPI32.dll, RPCRT4.dll, GDI32.dll,
                                     USER32.dll, SHLWAPI.dll, SHELL32.dll,
                                     ole32.dll, OLEAUT32.dll, BROWSEUI.dll,
                                     SHDOCVW.dll, CRYPT32.dll, MSASN1.dll,
                                     CRYPTUI.dll, WINTRUST.dll, IMAGEHLP.dll,
                                     NETAPI32.dll, WININET.dll, WLDAP32.dll,
                                     VERSION.dll, UxTheme.dll, ShimEng.dll,
                                     AcGenral.DLL, WINMM.dll, MSACM32.dll,
                                     USERENV.dll, comctl32.dll, comctl32.dll,
                                     appHelp.dll, CLBCATQ.DLL, COMRes.dll,
                                     cscui.dll, CSCDLL.dll, themeui.dll,
                                     Secur32.dll, MSIMG32.dll, xpsp2res.dll,
                                     msutb.dll, MSCTF.dll, SAMLIB.dll,
                                     ntshrui.dll, ATL.DLL, SETUPAPI.dll, msi.dll,
                                     NETSHELL.dll, rtutils.dll, credui.dll,
                                     WS2_32.dll, WS2HELP.dll, iphlpapi.dll,
                                     LINKINFO.dll, urlmon.dll, WINSTA.dll,
                                     webcheck.dll, WSOCK32.dll, stobject.dll,
                                     BatMeter.dll, POWRPROF.dll, WTSAPI32.dll,
                                     wdmaud.drv, msacm32.drv, midimap.dll,
                                     mwsoestb.dll, rsaenh.dll, IadHide5.dll,
                                     MPR.dll, drprov.dll, ntlanman.dll,
                                     NETUI0.dll, NETUI1.dll, NETRAP.dll,
                                     davclnt.dll, SXS.DLL, EuShlExt.dll,
                                     browselc.dll, MWSSRCAS.DLL, RASAPI32.DLL,
                                     rasman.dll, TAPI32.dll, AcroIEHelper.ocx,
                                     MWSBAR.DLL, SDHelper.dll, olepro32.dll,
                                     IMM32.dll, DUSER.dll, msohev.dll, MLANG.dll,
                                     gdiplus.dll, fsshext.8.1.0178.00.dll,
                                     MSVCR80.dll, shdoclc.dll, vpshell2.dll,
                                     gvimext.dll, MSVCRT40.dll, syncui.dll,
                                     igfxpph.dll, hccutils.DLL, zipfldr.dll,
                                     actxprxy.dll, sti.dll, CFGMGR32.dll,
                                     igfxres.dll, igfxress.dll, sendmail.dll,
                                     mydocs.dll, Audiodev.dll, WMVCore.DLL,
                                     WMASF.DLL, wiashext.dll
    

    The MWSSRCAS.DLL file from C:\Program Files\MyWebSearch\SrchAstt\3.bin was also loaded by explorer.exe

    After I rebooted, Spybot ran automatically and indicated it was able to fix the remaining problems. When I logged in afterwards, I saw the message below.

    RUNDLL
    Error loading C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL

    The specified module could not be found.

    OK

    I used regedit to search the registry for MWSBAR. I found a reference to it in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. There was a value name of My Web Search Bar of type REG_SZ. The value for it was rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S . I deleted the value name from the Run key. I also deleted another value name I found in that Run key. It was for a value name of MyWebSearch Email Plugin of type REG_SZ with the value C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe.

    Still, after the above steps, whenever I opened Internet Explorer, it would immediately go to http://aprotectservice.com/. I set the home page to www.google.com, but it would still to to the aprotecservice site. I tried going to Tools, Internet Options, Programs, and clicking on Reset Web Settings, but it made no difference. Since it was about 11:00 P.M. at that point, as a temporary fix for the problem, I edited the hosts file in /windows/system32/drivers/etc. Since the file was read-only, I right-clicked on the filename and unchecked the read-only attribute. I then added the following line under the one for localhost.

    64.233.161.103  aprotectservice.com

    The 64.233.161.103 address is an address for one of the Google webservers, so whenever I opened Internet Explorer afterwards, it would show http://aprotectservice.com/ in the address bar, but would actually go to the Google website. I'll have to return to the site where the system is located later to get rid of the underlying problem, which I believe is related to the Zlob infection.

    FunWebProducts has not brought fun to the user of the system and certainly hasn't made my life fun, either. Its free "funny icons or smileys" bring aggravation and removal may not be free. I removed this malware from the same system on September 3, 2006 (see FunWebProducts - September 3, 2006). I've also encountered it on another system previously where it had caused a great deal of aggravation for the user.