[SOLVED] Fake Java Update and subsequent problems with Spy Sweeper and McAfee Antivir

[Stephe]

Hi,

On the night of March 10, 2009, I got a message from Microsoft
and did a Windows Update.

Then, I got a notice that there was a new version of Java
available, and I downloaded it, only instead of my Spy Sweeper
asking to allow one BHO (Browser Helper Object), it asked me to
allow three, and instead of my McAfee antivirus asking to allow
one file, it asked to allow four or five.

Some of these files that McAfee asked for looked fishy, so I
clicked on "Tell McAfee about this program" each time. The
McAfee page gave no warnings about the files. One however, had a
file path that had "Owner.BULLOCKFAMILY" in it, so I did a screen
capture, which had this:

File Name: jre-6u12-windows-i586-p-iftw.exe
File Size: 607640
File Path: C:\Documents and Settings\Owner.BULLOCKFAMILY\My Documents\Downloads\
Version: 6.0
First seen: 2/2/2009
Manufacturer: Sun Java for Windows

During this Java Update, McAfee repaired and removed something
named HTML Fake/AV. McAfee said:

3/10/2009 6:52:05 PM Real-Time Scan HTML/FakeAV (Trojan)
Repaired (removed)

Details
One or more items were detecte on your computer.

Detection name: HTML/FakeAV (Trojan)
File: C:\Documents and Settings\Steven\Local Settings\Application Data\Mozilla\Firefox\Profiles\xf0k4yj5.default\Cache\E6ECE3CAd01
Process: C:\Program Files\Mozilla Firefox\firefox.exe
Process description: Firefox

I then shut down my Spy Sweeper and ran Malwarebytes' Anti-
Malware, which said:

Fake.Driver Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL

I then went to Control Panel > Add/Remove Programs and removed
older versions of Java. I then flushed the Java cache.

Then, as is recommended to totally remove trojans, I turned off
System Restore. In retrospect, this was a fatal mistake, since I
could not then restore my system to before all the (fake Java)
components insinuated themselves onto my computer.

On reboot, I encountered two beeps, and got the following message
on the black screen:

Phoenix ROM BIOS PLUS Version 1.10 A02
Copyright 1985-1988 Phoenix Technologies Ltd.
Copyright 1990-2005 Dell Inc.
All Rights Reserved

Dell DXP051 Series
BIOS version A02
www.dell.com

Drive 5 not Found: Parallel ATA, PATA-1 (PRI IDE Slave)
Intel(R) Matrix Storage Manager option ROM v5.0.0.1032 ICH7R

Then I noticed that I could not retrieve the DVD in my DVD-
burner, so I removed it by putting a paperclip in the small hole.

I went to My Computer > System Properties > Hardware > Device
Manager > DVD\CD-ROM drives

The DVD burner was not listed at all. I rebooted again, and the
drive returned to normal.

Later that day, I went to my local bank and mentioned the Java
weirdness, and one of the tellers told me that he'd heard on the
news that there had been a fake Java update download with a virus
in it.

I went home and tried to find information online about a fake
Java update download and couldn't find anything.

The next night (March 11), I upgraded Spy Sweeper to 6.1.0 (build
107) and did a scan. It found 42 pieces of spyware. Ordinarily,
it catches only 12 or 13.

On March 12, I do a Spy Sweeper scan, and only 12 pieces of
spyware are found. Then,
I go into Spy Sweeper > Options > View Session Log, I see a
couple of hundred of "Warning: AntiVirus engine for IFO returned
[Error Code A0040220]"

Also, the Sessions Log is only for today. Previously whenever
I'd viewed the Sessions Log, it was for weeks and weeks.

Also, after I maximized the Spy Sweeper window, it did not
minimize. Now, if I close Spy Sweeper and re-open it, the window
is maximized and I cannot minimize it. Also, the Spy Sweeper
splash screen does not appear during boot-up, even though it is
selected to appear, as shown in Options > Program > Display
splash screen on program startup.

I reboot again, and Spy Sweeper's window now maximizes and
minimizes again. I open the Sessions log, and once again, the
log is only for today. Yesterday's log is no longer there.

These are sample entries in the session logs:

3/12/2009 12:16:12 PM: Warning: AntiVirus engine for IFO returned [Error Code A0040220] on [C:\WINDOWS\WindowsUpdate.log]

3/12/2009 12:16:11 PM: Warning: AntiVirus engine for IFO returned [Error Code A0040220] on [C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log]
3/12/2009 12:16:11 PM: Warning: AntiVirus engine for IFO returned [Error Code A0040220] on [C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb]
3/12/2009 12:16:11 PM: Warning: AntiVirus engine for IFO returned [Error Code A0040220] on [C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb]

3/12/2009 12:11:44 PM: Warning: AntiVirus engine for IFO returned [Error Code A0040220] on [C:\Program Files\Dell Support Center\sscommon\common\inc\ss_event.js]
3/12/2009 12:11:44 PM: Warning: AntiVirus engine for IFO returned [Error Code A0040220] on [C:\Program Files\Dell Support Center\sscommon\common\inc\ss_config.js]
3/12/2009 12:11:44 PM: Warning: AntiVirus engine for IFO returned [Error Code A0040220] on [C:\Program Files\Dell Support Center\sscommon\common\inc\ss_log.js]

3/12/2009 12:15:31 PM: Warning: AntiVirus engine for IFO returned [Error Code A0040220] on [C:\Documents and Settings\Steven\Application Data\Microsoft\Office\Recent\index.dat]
3/12/2009 12:15:31 PM: Warning: AntiVirus engine for IFO returned [Error Code A0040220] on [C:\Documents and Settings\Steven\Application Data\Microsoft\Office\Recent\malware notes.doc.LNK]

The final entry above is for my writing this message in Microsoft
Word right now.

Basically, there is an error warning for every action that I
perform on my computer.

I googled Error Code A0040220 and at
http://www.sophos.com/support/knowle...cle/14376.html
found this:

a0040220 The main body of threat detection data is missing.

Granted, the above is for an anti-spyware program other than Spy
Sweeper.

Next, I tried Spy Sweeper in Safe Mode, whereupon McAfee gave a
notice that says:

McAfee Security Center: Your computer is not protected.

I click on McAfee, and inside, in the Computer & Files section
and in the E-mail & IM section, it says: Action Required!

I clicked on Fix, and it said: One or more problems cannot be
fixed because of an error

In the right pane, it says:

• Real-time scanning is disabled.
• Spyware and potentially unwanted program scanning is disabled.
• IM scanning is disabled.
• Script scanning is disabled.
• Buffer overflow protection is disabled.
• Privacy Service shut down unexpectedly and Personal Information Protection is now disabled.
• Privacy Service shut down unexpectedly and Parental Controls is now disabled.

I re-booted, and selected Last Known Good Configuration.

The Spy Sweeper splash screen comes up now on boot-up, but the
same type of Session Log errors still come up.

I usually use Firefox, but when I use Internet Explorer now, I
get an error notice from Windows Internet Explorer that says:

Cookies are disabled on your computer. This may cause problems.

Here are the contents of DDS.txt :

DDS (Ver_09-02-01.01) - NTFSx86
Run by Steven at 17:01:31.46 on Thu 03/12/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.332 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ElprimeClockPro\EClock.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Steven\Desktop\Tech S\techsupport downloaded programs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.amazon.com/gp/homepage.html/002-6503450-3917661
uSearch Bar =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: JunoBar: {5854fac4-5bf0-47dd-b5a9-a5ea8cff3cf4} - c:\program files\juno\toolbar.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [Elprime Clock Pro] "c:\program files\elprimeclockpro\EClock.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SigmatelSysTrayApp] "c:\windows\stsystra.exe"
mRun: [NeroFilterCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [dla] "c:\windows\system32\dla\tfswctrl.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
mRun: [DLCCCATS] "rundll32" c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138476150250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\xf0k4yj5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/outlook/homeandgarden/garden/hourbyhour/02130?from=36hr_topnav_garden
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-7-28 29808]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-20 201320]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-30 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-20 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-20 144704]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-2-25 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2008-10-26 1178728]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-20 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-20 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-20 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-20 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-20 33832]

=============== Created Last 30 ================

2009-03-12 01:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-11 19:56 164 a------- c:\windows\install.dat
2009-02-25 05:49 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

==================== Find3M ====================

2009-03-12 16:05 42,088 a------- c:\docume~1\steven\applic~1\wklnhst.dat
2009-03-12 01:16 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 17:10 1,553,784 a------- c:\windows\WRSetup.dll
2009-02-25 15:24 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-02-25 15:24 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-02-25 15:24 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-29 13:05 61,224 a------- c:\documents and settings\steven\GoToAssistDownloadHelper.exe
2009-01-29 00:38 164 a------- C:\install.dat
2008-12-20 19:15 826,368 a------- c:\windows\system32\wininet.dll
2006-12-07 23:48 70,888 a------- c:\docume~1\steven\applic~1\GDIPFONTCACHEV1.DAT
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 08:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2008-07-16 13:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071620080717\index.dat

============= FINISH: 17:02:47.47 ===============

[Stephe]

My solution was to re-format my computer.

Thank you for your time.

[amateur]

Thank you for letting us know.

Surf Safely and Think Prevention!