Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent JS/XULCache.A infection


  • Please log in to reply
15 replies to this topic

#1 Yttermayn

Yttermayn

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 01 July 2011 - 08:44 AM

I visited a music site that apparently got infected, and it passed this infection on to my PC. I get alerts from AVG about an infected file, and it seems to be browser related, but I believe it has happened with no browsers open as well. I am running WinXP Pro SP3. I have AVG free and Spybot installed. Both have been updated and used to scan the whole system. Spybot didn't come up with anything. AVG keeps catching the JS/XULCache.A trojan when it gets written into my google chrome user data in the form of the contentscript.js file. I did find an exe file that was getting started automatically on startup that was infected, that would restart itself as soon as it was shut down via taskman. I was able to prevent it's startup and delete it, but something else is at work here. I don't remember the name of that file, but it's gone anyways. AVG has removed JS/XULCache.A, SHeur3.CGXD, and Downloader.Generic.11.AXWD since this all started.
I dl'd Malwarebytes and updated yesterday. It found a bunch more infected items and removed them as well. Something is still active though, as I got the alert from AVG again about JS/XULCache.A this morning.

Please help me track down what is causing this persistent infection.
Here is MWB's log:

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/30/2011 6:28:34 PM
mbam-log-2011-06-30 (18-28-34).txt

Scan type: Quick scan
Objects scanned: 241124
Time elapsed: 9 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\program files\winupdate (Worm.P2P) -> Quarantined and deleted successfully.
c:\WINDOWZ\system32\drivers\downld (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\localservice.nt authority\application data\02000000900006751356p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice.nt authority\application data\02000000900006751356c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice.nt authority\application data\02000000900006751356o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice.nt authority\application data\02000000900006751356s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWZ\system32\02000000900006751356p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWZ\system32\02000000900006751356c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWZ\system32\02000000900006751356o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWZ\system32\02000000900006751356s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWZ\system32\drivers\downld\487187.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWZ\system32\drivers\downld\502078.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWZ\system32\drivers\downld\571890.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWZ\system32\drivers\downld\592000.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWZ\system32\drivers\downld\658062.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWZ\system32\drivers\downld\711531.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWZ\system32\drivers\downld\734578.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by hamluis, 01 July 2011 - 09:34 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:06:04 PM

Posted 01 July 2011 - 02:43 PM

Hi Yttermayn, and welcome.

Clean temp files with Temp File Cleaner:

  • Double click on TFC.exe to run the program
  • Click on Start button to begin cleaning process
  • TFC will close all running programs, and if ask you to restart computer allow it

then scan your pc with ESET Online Scanner following this steps:


  • Disable your Antivirus and other security software
  • Click here to open ESET Online Scanner
  • Click the Posted Image button
  • Only if you don' t use Internet Explorer:
    • Click on Posted Image to download the ESET Smart Installer and Save it to your desktop
    • Double click on the esetsmartinstaller_enu icon on your desktop
  • Check Posted Image
  • Click Posted Image
  • Accept any security warnings from your browser
  • Under scan settings, check Posted Image and Uncheck Remove found threats
  • Click Advanced settings and select:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will download updates and install itself, then begin the scan. Please be patient as this can take some time.
  • When the scan completes, click Posted Image
  • Click Posted Image, and save the file to your desktop using a unique name, such as ESETScan
  • Click Posted Image
  • Click Posted Image
and next download Security Check, save it to your Desktop and:

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box
  • A Notepad document should open automatically called checkup.txt; save it to you desktop
Now you should to re enable the protections that you have previously disabled and include the contents of the reports in your reply.

Regards.


Edited by Clairvoyant, 01 July 2011 - 02:46 PM.


#3 Yttermayn

Yttermayn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 02 July 2011 - 12:58 AM

Thanks, Clairvoyant!
Here's the txt from Eset:
C:\Program Files\MSN Messenger\RICHED20.DLL Win32/FunWeb application
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1845\A0259008.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1846\A0259075.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1848\A0261029.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1848\A0262071.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1850\A0262286.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\_.FERAL\Application Data\Mozilla\Firefox\Profiles\rrxffl6c.default\extensions\{213bba21-cb64-4856-be71-350bba168733}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\_.FERAL\Application Data\Mozilla\Firefox\Profiles\rrxffl6c.default\extensions\{738adc9f-6adf-4ad1-a1a0-4a2a53334519}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
D:\desktop stuff\recent software downloads 42805\nero7.rar Win32/Toolbar.AskSBar application
D:\wLite\wSettingsCleaner.exe probably a variant of Win32/TrojanDownloader.Banload.DCRUMDF trojan
D:\Zoom Player Pro\zplayer.exe probably a variant of Win32/Agent.NPPSRCQ trojan

Unfortunately, Security check runs, but I keep getting a message:
Posted Image
I can click OK and get to the end, but the message pops up endlessly when the program tries to open notepad, I think. It's at the stage where it says "Preparing Done"

Edit: I went ahead and deleted the file the above image is referring to. It was in all caps, was 1kb, and last modified today. Then I re-ran Security Check and it was able to complete, so here is the text:
e Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3 (UAC is disabled!)
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

avast! Free Antivirus
AVG 2011
ESET Online Scanner v3
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Out of date Spybot installed!
MVPS Hosts File
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 23
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_16
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Adobe Reader 8.2.6
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
Alwil Software Avast5 AvastSvc.exe
``````````End of Log````````````

Edited by Yttermayn, 02 July 2011 - 01:18 AM.


#4 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:06:04 PM

Posted 02 July 2011 - 07:07 AM

Hi Yttermayn,

ESET Online scanner found some threats, but now in order to proceed to clean your computer you need to do some other activites.

So, you need to install the JRE last version

  • Go here
  • Read the License Agreement, and then check the box that says: "Accept License Agreement"
  • From the list, select your OS and Platform
  • Download for an Offline Installation and save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Uninstall JRE from Start => Control Panel => Add/Remove Programs => click on Java => click on Unistall
  • Repeat the step above for every JRE entry you see
  • Double click on downloaded file and install it

then uninstall one of the AV have you installed, isn't good idea
to have more than one Antivirus with real time protection features installed ( if you wish, you can uninstall both and install Antivir Free, in my opinion is better than other two ).
Next, install a good free Firewall, like Comodo ( if you choose Comodo DO NOT install the Antivirus during installation process ) or Online Armor, and update IE at the last version ( even you not use it ).

You have to update even Spybot S'n'D, if you want to use it, and Acrobat Reader ( if you prefer you can uninstall it and try Foxit Reader ).
I noticed that you use MVPS Hosts File, please check if you have the latest version, and if not, update it too.

Then disable internet connection, use again TFC, perform a new scan with your updated AV, reenable internet connection and scan again your pc with ESET Online Scanner.

Please, include the contents of the scan reports in your reply.

Regards.

Edited by Clairvoyant, 02 July 2011 - 07:08 AM.


#5 Yttermayn

Yttermayn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 03 July 2011 - 08:49 AM

Whew! That took awhile!
Antivir got run a couple times:


Avira AntiVir Personal
Report file date: Saturday, July 02, 2011 12:43

Scanning for 2870057 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : FERAL

Version information:
BUILD.DAT : 10.2.0.696 35934 Bytes 6/29/2011 17:32:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 7/2/2011 14:23:36
AVSCAN.DLL : 10.0.5.0 47464 Bytes 7/2/2011 14:23:36
LUKE.DLL : 10.3.0.5 45416 Bytes 7/2/2011 14:23:42
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 06:40:50
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 7/2/2011 14:23:46
AVREG.DLL : 10.3.0.7 90472 Bytes 7/2/2011 14:23:46
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 16:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 13:53:56
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 13:53:58
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 18:36:58
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 18:18:24
VBASE005.VDF : 7.11.8.179 2048 Bytes 5/31/2011 18:18:24
VBASE006.VDF : 7.11.8.180 2048 Bytes 5/31/2011 18:18:24
VBASE007.VDF : 7.11.8.181 2048 Bytes 5/31/2011 18:18:24
VBASE008.VDF : 7.11.8.182 2048 Bytes 5/31/2011 18:18:24
VBASE009.VDF : 7.11.8.183 2048 Bytes 5/31/2011 18:18:24
VBASE010.VDF : 7.11.8.184 2048 Bytes 5/31/2011 18:18:24
VBASE011.VDF : 7.11.8.185 2048 Bytes 5/31/2011 18:18:24
VBASE012.VDF : 7.11.8.186 2048 Bytes 5/31/2011 18:18:24
VBASE013.VDF : 7.11.8.222 121856 Bytes 6/2/2011 07:49:16
VBASE014.VDF : 7.11.9.7 134656 Bytes 6/4/2011 21:10:36
VBASE015.VDF : 7.11.9.42 136192 Bytes 6/6/2011 21:39:58
VBASE016.VDF : 7.11.9.72 117248 Bytes 6/7/2011 20:44:58
VBASE017.VDF : 7.11.9.107 130560 Bytes 6/9/2011 13:03:42
VBASE018.VDF : 7.11.9.143 132096 Bytes 6/10/2011 22:53:42
VBASE019.VDF : 7.11.9.172 141824 Bytes 6/14/2011 12:29:56
VBASE020.VDF : 7.11.9.214 144896 Bytes 6/15/2011 22:32:36
VBASE021.VDF : 7.11.9.244 196608 Bytes 6/16/2011 23:51:32
VBASE022.VDF : 7.11.10.28 152576 Bytes 6/20/2011 14:07:20
VBASE023.VDF : 7.11.10.53 210432 Bytes 6/21/2011 14:07:22
VBASE024.VDF : 7.11.10.88 132096 Bytes 6/24/2011 14:07:22
VBASE025.VDF : 7.11.10.112 138752 Bytes 6/27/2011 14:07:24
VBASE026.VDF : 7.11.10.148 162304 Bytes 6/29/2011 14:07:24
VBASE027.VDF : 7.11.10.158 168448 Bytes 6/29/2011 14:07:26
VBASE028.VDF : 7.11.10.188 175616 Bytes 7/1/2011 14:07:26
VBASE029.VDF : 7.11.10.189 2048 Bytes 7/1/2011 14:07:26
VBASE030.VDF : 7.11.10.190 2048 Bytes 7/1/2011 14:07:26
VBASE031.VDF : 7.11.10.197 24064 Bytes 7/1/2011 14:07:26
Engineversion : 8.2.5.34
AEVDF.DLL : 8.1.2.1 106868 Bytes 4/21/2011 13:53:30
AESCRIPT.DLL : 8.1.3.69 1614203 Bytes 7/2/2011 14:07:38
AESCN.DLL : 8.1.7.2 127349 Bytes 4/21/2011 13:53:28
AESBX.DLL : 8.2.1.34 323957 Bytes 6/16/2011 06:54:02
AERDL.DLL : 8.1.9.12 639348 Bytes 7/2/2011 14:07:36
AEPACK.DLL : 8.2.6.9 557429 Bytes 6/16/2011 06:54:02
AEOFFICE.DLL : 8.1.1.25 205178 Bytes 6/16/2011 06:54:02
AEHEUR.DLL : 8.1.2.136 3584376 Bytes 7/2/2011 14:07:34
AEHELP.DLL : 8.1.17.2 246135 Bytes 6/16/2011 06:54:02
AEGEN.DLL : 8.1.5.6 401780 Bytes 6/16/2011 06:54:02
AEEMU.DLL : 8.1.3.0 393589 Bytes 4/21/2011 13:53:16
AECORE.DLL : 8.1.21.1 196983 Bytes 6/16/2011 06:54:02
AEBB.DLL : 8.1.1.0 53618 Bytes 4/21/2011 13:53:16
AVWINLL.DLL : 10.0.0.0 19304 Bytes 4/21/2011 13:53:38
AVPREF.DLL : 10.0.3.2 44904 Bytes 7/2/2011 14:23:34
AVREP.DLL : 10.0.0.10 174120 Bytes 7/2/2011 14:23:46
AVARKT.DLL : 10.0.26.1 255336 Bytes 7/2/2011 14:23:32
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 7/2/2011 14:23:34
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 21:27:24
AVSMTP.DLL : 10.0.0.17 63848 Bytes 4/21/2011 13:53:38
NETNT.DLL : 10.0.0.0 11624 Bytes 4/21/2011 13:53:48
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 7/2/2011 14:23:28
RCTEXT.DLL : 10.0.64.0 97640 Bytes 7/2/2011 14:23:30

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: Default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, F:, G:, H:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Advanced

Start of the scan: Saturday, July 02, 2011 12:43

Starting search for hidden objects.
An ARK library instance is already running.

The scan of running processes will be started
Scan process 'msdtc.exe' - '42' Module(s) have been scanned
Scan process 'dllhost.exe' - '53' Module(s) have been scanned
Scan process 'dllhost.exe' - '44' Module(s) have been scanned
Scan process 'vssvc.exe' - '38' Module(s) have been scanned
Scan process 'avscan.exe' - '62' Module(s) have been scanned
Scan process 'avscan.exe' - '64' Module(s) have been scanned
Scan process 'avcenter.exe' - '65' Module(s) have been scanned
Scan process 'ctfmon.exe' - '31' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '39' Module(s) have been scanned
Scan process 'Skype.exe' - '123' Module(s) have been scanned
Scan process 'wscntfy.exe' - '22' Module(s) have been scanned
Scan process 'rapimgr.exe' - '47' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process 'LVComSer.exe' - '38' Module(s) have been scanned
Scan process 'CachemanTray.exe' - '31' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '47' Module(s) have been scanned
Scan process 'wcescomm.exe' - '48' Module(s) have been scanned
Scan process 'cfp.exe' - '51' Module(s) have been scanned
Scan process 'avgnt.exe' - '53' Module(s) have been scanned
Scan process 'jusched.exe' - '24' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'Explorer.EXE' - '92' Module(s) have been scanned
Scan process 'RichVideo.exe' - '24' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '21' Module(s) have been scanned
Scan process 'LVPrcSrv.exe' - '19' Module(s) have been scanned
Scan process 'LVComSer.exe' - '39' Module(s) have been scanned
Scan process 'LogMeIn.exe' - '76' Module(s) have been scanned
Scan process 'RaMaint.exe' - '47' Module(s) have been scanned
Scan process 'LMIGuardianSvc.exe' - '32' Module(s) have been scanned
Scan process 'KMWDSrv.exe' - '23' Module(s) have been scanned
Scan process 'jqs.exe' - '35' Module(s) have been scanned
Scan process 'IntuitUpdateService.exe' - '67' Module(s) have been scanned
Scan process 'avshadow.exe' - '28' Module(s) have been scanned
Scan process 'CachemanServ.exe' - '21' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '36' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '48' Module(s) have been scanned
Scan process 'avguard.exe' - '56' Module(s) have been scanned
Scan process 'sched.exe' - '47' Module(s) have been scanned
Scan process 'spoolsv.exe' - '72' Module(s) have been scanned
Scan process 'svchost.exe' - '46' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '157' Module(s) have been scanned
Scan process 'cmdagent.exe' - '70' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '54' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '39' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'services.exe' - '29' Module(s) have been scanned
Scan process 'winlogon.exe' - '68' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!
Boot sector 'H:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1365' files ).


Starting the file scan:

Begin scan in 'C:\' <DRV2_VOL1>
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1866\A0265838.EXE
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
Begin scan in 'D:\'
D:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1866\A0265836.exe
[DETECTION] Is the TR/Dldr.Banload.ayjc Trojan
D:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1866\A0265837.exe
--> Object
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
Begin scan in 'F:\'
Begin scan in 'G:\'
Begin scan in 'H:\'

Beginning disinfection:
D:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1866\A0265837.exe
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4cff338a.qua'.
D:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1866\A0265836.exe
[DETECTION] Is the TR/Dldr.Banload.ayjc Trojan
[NOTE] The file was moved to the quarantine directory under the name '54681c2d.qua'.
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1866\A0265838.EXE
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[WARNING] The file could not be copied to quarantine!
[WARNING] An exception has been identified!
[NOTE] The file is scheduled for deleting after reboot.
[NOTE] For the final repair, a restart of the computer is instigated.


End of the scan: Saturday, July 02, 2011 16:11
Used time: 3:20:33 Hour(s)

The scan has been done completely.

20748 Scanned directories
611848 Files were scanned
3 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
611845 Files not concerned
5532 Archives were scanned
1 Warnings
3 Notes

The repair notes were written to the file 'C:\avrescue\rescue.avp'.

*********************************************************



Avira AntiVir Personal
Report file date: Saturday, July 02, 2011 08:58

Scanning for 2870057 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : _
Computer name : FERAL

Version information:
BUILD.DAT : 10.2.0.696 35934 Bytes 6/29/2011 17:32:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 7/2/2011 14:23:36
AVSCAN.DLL : 10.0.5.0 47464 Bytes 7/2/2011 14:23:36
LUKE.DLL : 10.3.0.5 45416 Bytes 7/2/2011 14:23:42
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 06:40:50
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 7/2/2011 14:23:46
AVREG.DLL : 10.3.0.7 90472 Bytes 7/2/2011 14:23:46
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 16:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 13:53:56
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 13:53:58
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 18:36:58
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 18:18:24
VBASE005.VDF : 7.11.8.179 2048 Bytes 5/31/2011 18:18:24
VBASE006.VDF : 7.11.8.180 2048 Bytes 5/31/2011 18:18:24
VBASE007.VDF : 7.11.8.181 2048 Bytes 5/31/2011 18:18:24
VBASE008.VDF : 7.11.8.182 2048 Bytes 5/31/2011 18:18:24
VBASE009.VDF : 7.11.8.183 2048 Bytes 5/31/2011 18:18:24
VBASE010.VDF : 7.11.8.184 2048 Bytes 5/31/2011 18:18:24
VBASE011.VDF : 7.11.8.185 2048 Bytes 5/31/2011 18:18:24
VBASE012.VDF : 7.11.8.186 2048 Bytes 5/31/2011 18:18:24
VBASE013.VDF : 7.11.8.222 121856 Bytes 6/2/2011 07:49:16
VBASE014.VDF : 7.11.9.7 134656 Bytes 6/4/2011 21:10:36
VBASE015.VDF : 7.11.9.42 136192 Bytes 6/6/2011 21:39:58
VBASE016.VDF : 7.11.9.72 117248 Bytes 6/7/2011 20:44:58
VBASE017.VDF : 7.11.9.107 130560 Bytes 6/9/2011 13:03:42
VBASE018.VDF : 7.11.9.143 132096 Bytes 6/10/2011 22:53:42
VBASE019.VDF : 7.11.9.172 141824 Bytes 6/14/2011 12:29:56
VBASE020.VDF : 7.11.9.214 144896 Bytes 6/15/2011 22:32:36
VBASE021.VDF : 7.11.9.244 196608 Bytes 6/16/2011 23:51:32
VBASE022.VDF : 7.11.10.28 152576 Bytes 6/20/2011 14:07:20
VBASE023.VDF : 7.11.10.53 210432 Bytes 6/21/2011 14:07:22
VBASE024.VDF : 7.11.10.88 132096 Bytes 6/24/2011 14:07:22
VBASE025.VDF : 7.11.10.112 138752 Bytes 6/27/2011 14:07:24
VBASE026.VDF : 7.11.10.148 162304 Bytes 6/29/2011 14:07:24
VBASE027.VDF : 7.11.10.158 168448 Bytes 6/29/2011 14:07:26
VBASE028.VDF : 7.11.10.188 175616 Bytes 7/1/2011 14:07:26
VBASE029.VDF : 7.11.10.189 2048 Bytes 7/1/2011 14:07:26
VBASE030.VDF : 7.11.10.190 2048 Bytes 7/1/2011 14:07:26
VBASE031.VDF : 7.11.10.197 24064 Bytes 7/1/2011 14:07:26
Engineversion : 8.2.5.34
AEVDF.DLL : 8.1.2.1 106868 Bytes 4/21/2011 13:53:30
AESCRIPT.DLL : 8.1.3.69 1614203 Bytes 7/2/2011 14:07:38
AESCN.DLL : 8.1.7.2 127349 Bytes 4/21/2011 13:53:28
AESBX.DLL : 8.2.1.34 323957 Bytes 6/16/2011 06:54:02
AERDL.DLL : 8.1.9.12 639348 Bytes 7/2/2011 14:07:36
AEPACK.DLL : 8.2.6.9 557429 Bytes 6/16/2011 06:54:02
AEOFFICE.DLL : 8.1.1.25 205178 Bytes 6/16/2011 06:54:02
AEHEUR.DLL : 8.1.2.136 3584376 Bytes 7/2/2011 14:07:34
AEHELP.DLL : 8.1.17.2 246135 Bytes 6/16/2011 06:54:02
AEGEN.DLL : 8.1.5.6 401780 Bytes 6/16/2011 06:54:02
AEEMU.DLL : 8.1.3.0 393589 Bytes 4/21/2011 13:53:16
AECORE.DLL : 8.1.21.1 196983 Bytes 6/16/2011 06:54:02
AEBB.DLL : 8.1.1.0 53618 Bytes 4/21/2011 13:53:16
AVWINLL.DLL : 10.0.0.0 19304 Bytes 4/21/2011 13:53:38
AVPREF.DLL : 10.0.3.2 44904 Bytes 7/2/2011 14:23:34
AVREP.DLL : 10.0.0.10 174120 Bytes 7/2/2011 14:23:46
AVARKT.DLL : 10.0.26.1 255336 Bytes 7/2/2011 14:23:32
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 7/2/2011 14:23:34
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 21:27:24
AVSMTP.DLL : 10.0.0.17 63848 Bytes 4/21/2011 13:53:38
NETNT.DLL : 10.0.0.0 11624 Bytes 4/21/2011 13:53:48
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 7/2/2011 14:23:28
RCTEXT.DLL : 10.0.64.0 97640 Bytes 7/2/2011 14:23:30

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: Default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, F:, G:, H:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Advanced

Start of the scan: Saturday, July 02, 2011 08:58

Starting search for hidden objects.
c:\windowz\system32\ntmsdata\ntmsjrnl
c:\windowz\system32\ntmsdata\ntmsjrnl
[NOTE] The file is not visible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6041C420-22B4-140A-3B055037524C6B59}\{9A77D18C-4DFD-83C2-41C1A5F44022B903}\{B579578C-D2DD-BD46-01C9D6D000184189}\axbbezdr5gg1rhh1sv4gcui36h1
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DAB5C844-BE4A-29F4-AD8FABA4C17947A0}\{6913C59A-116F-5212-1A8157F10917C9CC}\{8C3FE3F0-4F1D-5A94-937677A4B6D15CAE}\axbbezdr5gg1rhh1sv4gcui36h1
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{F9807A10-4727-9AC7-5739BD03864C7141}\{F4D35AF9-854F-CCC6-B4221006081D3FF5}\{1DA5733C-531E-5F12-5A70B13F4DD5DE9D}\axbbezdr5gg1rhh1sv4gcui36h1
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\display string
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1343024091-746137067-725345543-1003\Software\SecuROM\License information\datasecu
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1343024091-746137067-725345543-1003\Software\SecuROM\License information\rkeysecu
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '31' Module(s) have been scanned
Scan process 'msdtc.exe' - '42' Module(s) have been scanned
Scan process 'dllhost.exe' - '62' Module(s) have been scanned
Scan process 'dllhost.exe' - '47' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'avscan.exe' - '68' Module(s) have been scanned
Scan process 'avcenter.exe' - '98' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '35' Module(s) have been scanned
Scan process 'SpybotSD.exe' - '72' Module(s) have been scanned
Scan process 'Explorer.EXE' - '83' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process 'LVComSer.exe' - '37' Module(s) have been scanned
Scan process 'wscntfy.exe' - '21' Module(s) have been scanned
Scan process 'Skype.exe' - '102' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'rapimgr.exe' - '45' Module(s) have been scanned
Scan process 'CachemanTray.exe' - '29' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '43' Module(s) have been scanned
Scan process 'wcescomm.exe' - '46' Module(s) have been scanned
Scan process 'RichVideo.exe' - '24' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '21' Module(s) have been scanned
Scan process 'LVPrcSrv.exe' - '19' Module(s) have been scanned
Scan process 'LVComSer.exe' - '39' Module(s) have been scanned
Scan process 'LogMeIn.exe' - '76' Module(s) have been scanned
Scan process 'avgnt.exe' - '53' Module(s) have been scanned
Scan process 'jusched.exe' - '23' Module(s) have been scanned
Scan process 'RaMaint.exe' - '44' Module(s) have been scanned
Scan process 'LMIGuardianSvc.exe' - '31' Module(s) have been scanned
Scan process 'KMWDSrv.exe' - '23' Module(s) have been scanned
Scan process 'jqs.exe' - '35' Module(s) have been scanned
Scan process 'IntuitUpdateService.exe' - '68' Module(s) have been scanned
Scan process 'CachemanServ.exe' - '21' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '36' Module(s) have been scanned
Scan process 'avshadow.exe' - '28' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '48' Module(s) have been scanned
Scan process 'avguard.exe' - '57' Module(s) have been scanned
Scan process 'Explorer.EXE' - '88' Module(s) have been scanned
Scan process 'sched.exe' - '47' Module(s) have been scanned
Scan process 'spoolsv.exe' - '72' Module(s) have been scanned
Scan process 'svchost.exe' - '45' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '161' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '54' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '39' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'services.exe' - '29' Module(s) have been scanned
Scan process 'winlogon.exe' - '68' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!
Boot sector 'H:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1364' files ).


Starting the file scan:

Begin scan in 'C:\' <DRV2_VOL1>
C:\COUNTER.CAB
[0] Archive type: CAB (Microsoft)
--> counter.inf
[DETECTION] Is the TR/Dldr.AEE Trojan
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1866\A0265834.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Documents and Settings\All Users.WINDOWZ\Application Data\Spybot - Search & Destroy\Recovery\BugDoctor.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users.WINDOWZ\Application Data\Spybot - Search & Destroy\Recovery\BugDoctor1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users.WINDOWZ\Application Data\Spybot - Search & Destroy\Recovery\BugDoctor50.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\_.FERAL\Desktop\noctis\GO!.EXE
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
Begin scan in 'D:\'
D:\desktop stuff\SARC_Crk.exe
--> Object
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
D:\desktop stuff\ipaq software\Pocket Pc 2002 - Everquest Episode 2 - Attack On Qeynos.zip
[0] Archive type: ZIP
--> EverQuest-Ep2-SETUP.zip
[1] Archive type: ZIP
--> setup-Everquest.E2.v2.0.0.1/setup.exe
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
D:\desktop stuff\recent software downloads 42805\alcohol120percentv1.9.2build1705crackcim.zip
[0] Archive type: ZIP
--> Crack.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
D:\Java\[GAMES] 3D.rar
[0] Archive type: RAR
--> [SEXY GAMES] 3D Slut\3DL\3DPlugin.EXE
--> [SEXY GAMES] 3D Slut\3DL\iWeb\iws.exe
[DETECTION] Is the TR/Vilsel.aoff Trojan
D:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1866\A0265747.exe
[DETECTION] Is the TR/Anomaly.950528.D.1 Trojan
D:\wLite\wSettingsCleaner.exe
[DETECTION] Is the TR/Dldr.Banload.ayjc Trojan
Begin scan in 'F:\'
Begin scan in 'G:\'
Begin scan in 'H:\'

Beginning disinfection:
D:\wLite\wSettingsCleaner.exe
[DETECTION] Is the TR/Dldr.Banload.ayjc Trojan
[NOTE] The file was moved to the quarantine directory under the name '4d16f8c3.qua'.
D:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1866\A0265747.exe
[DETECTION] Is the TR/Anomaly.950528.D.1 Trojan
[NOTE] The file was moved to the quarantine directory under the name '55b4d701.qua'.
D:\Java\[GAMES] 3D.rar
[DETECTION] Is the TR/Vilsel.aoff Trojan
[NOTE] The file was moved to the quarantine directory under the name '07fa8d90.qua'.
D:\desktop stuff\recent software downloads 42805\alcohol120percentv1.9.2build1705crackcim.zip
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '61efc275.qua'.
D:\desktop stuff\ipaq software\Pocket Pc 2002 - Everquest Episode 2 - Attack On Qeynos.zip
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '246bef56.qua'.
D:\desktop stuff\SARC_Crk.exe
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5b63dd00.qua'.
C:\Documents and Settings\_.FERAL\Desktop\noctis\GO!.EXE
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '178af15c.qua'.
C:\Documents and Settings\All Users.WINDOWZ\Application Data\Spybot - Search & Destroy\Recovery\BugDoctor50.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Documents and Settings\All Users.WINDOWZ\Application Data\Spybot - Search & Destroy\Recovery\BugDoctor1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Documents and Settings\All Users.WINDOWZ\Application Data\Spybot - Search & Destroy\Recovery\BugDoctor.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1866\A0265834.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '338d8987.qua'.
C:\COUNTER.CAB
[DETECTION] Is the TR/Dldr.AEE Trojan
[NOTE] The file was moved to the quarantine directory under the name '4211b073.qua'.


End of the scan: Saturday, July 02, 2011 11:57
Used time: 2:29:58 Hour(s)

The scan has been done completely.

21198 Scanned directories
623813 Files were scanned
9 Viruses and/or unwanted programs were found
3 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
9 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
623801 Files not concerned
5677 Archives were scanned
0 Warnings
20 Notes
973271 Objects were scanned with rootkit scan
8 Hidden objects were found

**************************************************************

And then ESET Results:

C:\Program Files\MSN Messenger\RICHED20.DLL Win32/FunWeb application
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1845\A0259008.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1846\A0259075.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1848\A0261029.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1848\A0262071.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1850\A0262286.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{F6C502B3-6AEB-44F7-9CC0-3311AA5B03CE}\RP1850\A0262457.dll a variant of Win32/Kryptik.PQF trojan
C:\Documents and Settings\_.FERAL\Application Data\Mozilla\Firefox\Profiles\rrxffl6c.default\extensions\{213bba21-cb64-4856-be71-350bba168733}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\_.FERAL\Application Data\Mozilla\Firefox\Profiles\rrxffl6c.default\extensions\{738adc9f-6adf-4ad1-a1a0-4a2a53334519}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
D:\desktop stuff\recent software downloads 42805\nero7.rar Win32/Toolbar.AskSBar application


I have the feeling that FunWeb is creating the Tracur.F trojan entries, but that's just my gut.
Eager to here from you soon! Thankyou!
Edit: Just went through the logs and Wow! I knew I should have wiped the drives when I bought this machine. There's all kinds of old garbage on here. Don't do cracks, kids!
Edit: On further thought, I never use MSN Messenger, so it isn't funweb, it's those firefox extensions. No idea how to get rid of them though.

Edited by Yttermayn, 03 July 2011 - 09:06 AM.


#6 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:06:04 PM

Posted 03 July 2011 - 03:44 PM


Hi Yttermayn,

have you updated Java and installed Comodo/Online Armor?

The infection maybe exploits security flaws of outdated java, and the HIPS feature ( if activated, of course ) of the firewall that I've suggested before should block unauthorized actions.

For now I suggest you to uninstall everything you don't use, even browsers except IE, and perform a scan with Antivir in safe mode.
Then use again
TFC, reboot you computer and install a browser (Opera, FireFox or Chrome browsers based).

Next, if you have Daemon Tools or other similar software installed ( I see Alcohol 120% ), disable it and disable even your security software, then scan your computer with GMER following the point 8 of this guide .

Finally, rember to re enable the protections that you have disabled and then include the contents of all reports in your reply.


Regards

Edited by Clairvoyant, 03 July 2011 - 04:10 PM.


#7 Yttermayn

Yttermayn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 03 July 2011 - 07:19 PM


Hi Yttermayn,

have you updated Java and installed Comodo/Online Armor?

Regards


Yes, and yes.

#8 Yttermayn

Yttermayn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 04 July 2011 - 09:43 AM

Clairvoyant, I am having difficulty booting safe mode. I was getting BSOD's when I hit A347BUS.sys, so I tried to uninstall Alcahol 120. Unfortunately, my system for some reason dosn't see Alcahol 120 as being installed, so I manually deleted it's files. Then I removed the registry key for A347BUS.SYS and rebooted. I then deleted the A347BUS.SYS file and tried safe mode again. This time a BSOD on SPTD.SYS. A little more research and I found that it is also fart of Alcahol, so I repeated the procedure. I still BSOD booting safe mode though, and I am not sure how to procede now. The BSOD happens in pretty much the same place, though I no longer see the two previously mentioned files attempting to load.

Thanks!

#9 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:06:04 PM

Posted 04 July 2011 - 03:34 PM

Hi Yttermayn, :)

delete manually those files I think hasn't been a good idea, in this way Alcohol isn't uninstalled correctly.
It would have been better if you wrote here that you couldn't restart in Safe Mode without doing anything.

About manual uninstall, you should have followed this FAQ on the Alcohol offical site.
If you decide to proceed with the manual uninstall, you will do it at your own risk.
In this case I suggest you to back up every relevant file in a safe location, i.e. an external drive.

If you decide to not proceed with the manual uninstall, you can try to go to Control Panel => Administrative Tool => Services and look for Alcohol related services.
If you found them, select the services, right click on them => Properties, click Stop in Service Status and select Disabled in Startup type, then click on Apply.

Then you can try again to reboot in safe mode and, if you don't be able to do it, leave out scan with Antivir and proceed with GMER as indicated in my previous post.

Please include the contents of all reports in your next reply, next we shall see how we may proceed.



Regards.

Edited by Clairvoyant, 04 July 2011 - 04:25 PM.


#10 Yttermayn

Yttermayn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 05 July 2011 - 08:50 AM

The FAQ listed removing the driver registry keys as the way to stop them from running, and they are the same registry keys I already deleted, so no harm there. There were a couple other registry keys that had to do with (presumably) the install status. One was missing already which is probably why I couldn't uninstall it normally. I removed the other entry listed. Once rebooted, the .sys drivers can be deleted, which I also did.
Anyways, safe mode is still messed up, but I ran antivir anyways. I had gone and deleted manually infected files/programs listed from esat's last report, after of course checking what they were. There were no problems.

Forum won't let me post gmer report - too long. I don't see any attachment options either.

Antivir Report:

Avira AntiVir Personal
Report file date: Monday, July 04, 2011 18:26

Scanning for 2876876 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : FERAL

Version information:
BUILD.DAT : 10.2.0.696 35934 Bytes 6/29/2011 17:32:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 7/2/2011 14:23:36
AVSCAN.DLL : 10.0.5.0 47464 Bytes 7/2/2011 14:23:36
LUKE.DLL : 10.3.0.5 45416 Bytes 7/2/2011 14:23:42
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 06:40:50
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 7/2/2011 14:23:46
AVREG.DLL : 10.3.0.7 90472 Bytes 7/2/2011 14:23:46
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 16:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 13:53:56
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 13:53:58
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 18:36:58
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 18:18:24
VBASE005.VDF : 7.11.8.179 2048 Bytes 5/31/2011 18:18:24
VBASE006.VDF : 7.11.8.180 2048 Bytes 5/31/2011 18:18:24
VBASE007.VDF : 7.11.8.181 2048 Bytes 5/31/2011 18:18:24
VBASE008.VDF : 7.11.8.182 2048 Bytes 5/31/2011 18:18:24
VBASE009.VDF : 7.11.8.183 2048 Bytes 5/31/2011 18:18:24
VBASE010.VDF : 7.11.8.184 2048 Bytes 5/31/2011 18:18:24
VBASE011.VDF : 7.11.8.185 2048 Bytes 5/31/2011 18:18:24
VBASE012.VDF : 7.11.8.186 2048 Bytes 5/31/2011 18:18:24
VBASE013.VDF : 7.11.8.222 121856 Bytes 6/2/2011 07:49:16
VBASE014.VDF : 7.11.9.7 134656 Bytes 6/4/2011 21:10:36
VBASE015.VDF : 7.11.9.42 136192 Bytes 6/6/2011 21:39:58
VBASE016.VDF : 7.11.9.72 117248 Bytes 6/7/2011 20:44:58
VBASE017.VDF : 7.11.9.107 130560 Bytes 6/9/2011 13:03:42
VBASE018.VDF : 7.11.9.143 132096 Bytes 6/10/2011 22:53:42
VBASE019.VDF : 7.11.9.172 141824 Bytes 6/14/2011 12:29:56
VBASE020.VDF : 7.11.9.214 144896 Bytes 6/15/2011 22:32:36
VBASE021.VDF : 7.11.9.244 196608 Bytes 6/16/2011 23:51:32
VBASE022.VDF : 7.11.10.28 152576 Bytes 6/20/2011 14:07:20
VBASE023.VDF : 7.11.10.53 210432 Bytes 6/21/2011 14:07:22
VBASE024.VDF : 7.11.10.88 132096 Bytes 6/24/2011 14:07:22
VBASE025.VDF : 7.11.10.112 138752 Bytes 6/27/2011 14:07:24
VBASE026.VDF : 7.11.10.148 162304 Bytes 6/29/2011 14:07:24
VBASE027.VDF : 7.11.10.158 168448 Bytes 6/29/2011 14:07:26
VBASE028.VDF : 7.11.10.188 175616 Bytes 7/1/2011 14:07:26
VBASE029.VDF : 7.11.10.189 2048 Bytes 7/1/2011 14:07:26
VBASE030.VDF : 7.11.10.190 2048 Bytes 7/1/2011 14:07:26
VBASE031.VDF : 7.11.10.213 123904 Bytes 7/4/2011 00:20:18
Engineversion : 8.2.5.34
AEVDF.DLL : 8.1.2.1 106868 Bytes 4/21/2011 13:53:30
AESCRIPT.DLL : 8.1.3.69 1614203 Bytes 7/2/2011 14:07:38
AESCN.DLL : 8.1.7.2 127349 Bytes 4/21/2011 13:53:28
AESBX.DLL : 8.2.1.34 323957 Bytes 6/16/2011 06:54:02
AERDL.DLL : 8.1.9.12 639348 Bytes 7/2/2011 14:07:36
AEPACK.DLL : 8.2.6.9 557429 Bytes 6/16/2011 06:54:02
AEOFFICE.DLL : 8.1.1.25 205178 Bytes 6/16/2011 06:54:02
AEHEUR.DLL : 8.1.2.136 3584376 Bytes 7/2/2011 14:07:34
AEHELP.DLL : 8.1.17.2 246135 Bytes 6/16/2011 06:54:02
AEGEN.DLL : 8.1.5.6 401780 Bytes 6/16/2011 06:54:02
AEEMU.DLL : 8.1.3.0 393589 Bytes 4/21/2011 13:53:16
AECORE.DLL : 8.1.21.1 196983 Bytes 6/16/2011 06:54:02
AEBB.DLL : 8.1.1.0 53618 Bytes 4/21/2011 13:53:16
AVWINLL.DLL : 10.0.0.0 19304 Bytes 4/21/2011 13:53:38
AVPREF.DLL : 10.0.3.2 44904 Bytes 7/2/2011 14:23:34
AVREP.DLL : 10.0.0.10 174120 Bytes 7/2/2011 14:23:46
AVARKT.DLL : 10.0.26.1 255336 Bytes 7/2/2011 14:23:32
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 7/2/2011 14:23:34
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 21:27:24
AVSMTP.DLL : 10.0.0.17 63848 Bytes 4/21/2011 13:53:38
NETNT.DLL : 10.0.0.0 11624 Bytes 4/21/2011 13:53:48
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 7/2/2011 14:23:28
RCTEXT.DLL : 10.0.64.0 97640 Bytes 7/2/2011 14:23:30

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: Default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, F:, G:, H:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Advanced

Start of the scan: Monday, July 04, 2011 18:26

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6041C420-22B4-140A-3B055037524C6B59}\{9A77D18C-4DFD-83C2-41C1A5F44022B903}\{B579578C-D2DD-BD46-01C9D6D000184189}\axbbezd

r5gg1rhh1sv4gcui36h1
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DAB5C844-BE4A-29F4-AD8FABA4C17947A0}\{6913C59A-116F-5212-1A8157F10917C9CC}\{8C3FE3F0-4F1D-5A94-937677A4B6D15CAE}\axbbezd

r5gg1rhh1sv4gcui36h1
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{F9807A10-4727-9AC7-5739BD03864C7141}\{F4D35AF9-854F-CCC6-B4221006081D3FF5}\{1DA5733C-531E-5F12-5A70B13F4DD5DE9D}\axbbezd

r5gg1rhh1sv4gcui36h1
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\*Local

Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\display string
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1343024091-746137067-725345543-1003\Software\SecuROM\License information\datasecu
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1343024091-746137067-725345543-1003\Software\SecuROM\License information\rkeysecu
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '31' Module(s) have been scanned
Scan process 'msdtc.exe' - '42' Module(s) have been scanned
Scan process 'dllhost.exe' - '61' Module(s) have been scanned
Scan process 'dllhost.exe' - '47' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'avscan.exe' - '69' Module(s) have been scanned
Scan process 'avcenter.exe' - '68' Module(s) have been scanned
Scan process 'cfpupdat.exe' - '72' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '49' Module(s) have been scanned
Scan process 'rapimgr.exe' - '48' Module(s) have been scanned
Scan process 'ctfmon.exe' - '28' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '39' Module(s) have been scanned
Scan process 'CachemanTray.exe' - '31' Module(s) have been scanned
Scan process 'wcescomm.exe' - '50' Module(s) have been scanned
Scan process 'cfp.exe' - '59' Module(s) have been scanned
Scan process 'avgnt.exe' - '60' Module(s) have been scanned
Scan process 'jusched.exe' - '25' Module(s) have been scanned
Scan process 'Explorer.EXE' - '114' Module(s) have been scanned
Scan process 'alg.exe' - '37' Module(s) have been scanned
Scan process 'AVWEBGRD.EXE' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'RichVideo.exe' - '24' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '21' Module(s) have been scanned
Scan process 'LVPrcSrv.exe' - '19' Module(s) have been scanned
Scan process 'LVComSer.exe' - '31' Module(s) have been scanned
Scan process 'LogMeIn.exe' - '83' Module(s) have been scanned
Scan process 'RaMaint.exe' - '47' Module(s) have been scanned
Scan process 'LMIGuardianSvc.exe' - '32' Module(s) have been scanned
Scan process 'KMWDSrv.exe' - '23' Module(s) have been scanned
Scan process 'jqs.exe' - '37' Module(s) have been scanned
Scan process 'avshadow.exe' - '28' Module(s) have been scanned
Scan process 'CachemanServ.exe' - '21' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '52' Module(s) have been scanned
Scan process 'avguard.exe' - '62' Module(s) have been scanned
Scan process 'sched.exe' - '48' Module(s) have been scanned
Scan process 'spoolsv.exe' - '70' Module(s) have been scanned
Scan process 'svchost.exe' - '46' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '163' Module(s) have been scanned
Scan process 'cmdagent.exe' - '81' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '54' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '39' Module(s) have been scanned
Scan process 'lsass.exe' - '61' Module(s) have been scanned
Scan process 'services.exe' - '29' Module(s) have been scanned
Scan process 'winlogon.exe' - '75' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!
Boot sector 'H:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1227' files ).


Starting the file scan:

Begin scan in 'C:\' <DRV2_VOL1>
C:\Documents and Settings\_.FERAL\Local Settings\Temporary Internet Files\Content.IE5\YMTOMVC2\Firefox%20Setup%205.0[1].exe
--> Object
[WARNING] The file could not be read!
[WARNING] The file could not be read!
Begin scan in 'D:\'
Begin scan in 'F:\'
Begin scan in 'G:\'
Begin scan in 'H:\'


End of the scan: Monday, July 04, 2011 20:18
Used time: 1:51:21 Hour(s)

The scan has been done completely.

18901 Scanned directories
594542 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
594542 Files not concerned
4482 Archives were scanned
2 Warnings
7 Notes
807240 Objects were scanned with rootkit scan
7 Hidden objects we

#11 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:06:04 PM

Posted 06 July 2011 - 01:51 PM

Hi Yttermayn,

The computer seems almost clean, do you still have problems ( apart messed up safe mode )?
Please check C:\Documents and Settings\_.FERAL\Local Settings\Temporary Internet Files\Content.IE5\YMTOMVC2\Firefox%20Setup%205.0[1].exe with Virustotal.

Forum won't let me post gmer report - too long. I don't see any attachment options either.

Well, for this you can try copy and past the content of it, or create a zip archive and use a service like megaupload or similar.Posted Image

Let me know results of Virustotal scan, and include GMER log in next reply.


Regards

Edited by Clairvoyant, 06 July 2011 - 01:52 PM.


#12 Yttermayn

Yttermayn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 06 July 2011 - 10:00 PM

I haven't had any other problems, all seems well. The file (C:\Documents and Settings\_.FERAL\Local Settings\Temporary Internet Files\Content.IE5\YMTOMVC2\Firefox%20Setup%205.0[1].exe) no longer exists, nor it's directory YMTOMVC2.
I had tried to cut and paste the report, but it made the post too long and bleepingC wouldn't allow it. I zipped it and dumped it on megaupload at the following location:
GMER report, zipped.

#13 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:06:04 PM

Posted 07 July 2011 - 02:17 PM


Hi Yttermayn,

well, the Gmer log seems good, but I see some sptd services related entries in Registry section.
Have you uninstalled it as written in the page that I linked for Alcohol uninstallation?

Regarding the boot in Safe Mode issue, you can try to fix it with SuperAntiSpyware.
In the main menu click Preferences => click on the Repairs tab => scroll down until you get to Repair broken SafeBoot key => select it => click on Perform Repair.
SuperAntispyware will prompt you to reboot your PC, allow it by clicking on OK.

Regards



#14 Yttermayn

Yttermayn
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 08 July 2011 - 08:41 AM

Yes, I did remove the Alcohol installation as described in the FAQ, with the exception of one registry entry that it tells you to delete. On my system, the entry didn't exist and so I was unable to delete it.

SuperantiSpyware fixed the safe boot problem, so Thanks! That is awesome. I seem to be pretty much trouble free now.

#15 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:06:04 PM

Posted 08 July 2011 - 12:47 PM

Hi Yttermayn.
Well, at this point I would say that your computer problems are gone.Posted Image
If you encounter other problems not malware related, open a new topic in this section linking this same, so the helpers can learn more about what we did.

Regards

Edited by Clairvoyant, 08 July 2011 - 01:27 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users