Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with XP Home Security 2012 name changing rogue


  • This topic is locked This topic is locked
29 replies to this topic

#1 Noah Body

Noah Body

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 30 July 2011 - 12:14 PM

Greetings BleepingComputer

I have run afoul with the XP Home Security 2012 rogue and was hoping that I could get some help with it. This malware appears to have improved its defenses since June of 2011.

My problem started when I discovered a new hidden temp file named “itqsytnghv.tmp” on my desktop. The file always appears to be empty. Windows Defender did not pick up on this. I downloaded Malware Bytes and it found “authz32.dll” and 6 or 7 other related files associated with and removed them with no problem and that seemed to be the end of it. No more hidden file creation when using IE8. Checking the windows\system 32 folder where the .dll was I found “authz32.exe” that MWB had not removed. While looking for info on this, I got hit with:

XP Home Security 2012 which completely over road my computer and directed me to the fix for dollars scam site. MWBytes was tried and made inoperable. Research led me to:

Remove Win 7 Antispyware 2012 and Vista Antivirus 2012 name changing rogue (Uninstall Guide)
Posted by Grinler on June 7, 2011. This was the best and most informative info I have found and many thanks for getting my computer usable again to some degree. I see some hope. Where I was unsuccessful was in the removing of the malware. Currently my version of this rouge will not allow any malware removal tools to work. What has helped is the FixNCR.reg and RKill d/l from the article. After running those files, I have tried MWBytes, SuperAntiSpyware, Norton’s Specific fix (which left me with the BSOD), Widows Defender, MS Secuity Essentials, and MS Malicious Software Removal. All were slapped down in the first few seconds of scanning. Of all of those, MWBytes is the only one that can be reinstalled at this point. (MS Security reinstall also led to the BSOD). So…

In prepping for this post I have been to http://www.bleepingcomputer.com/forums/topic34773.html’s 10 steps and am posting the results.
Steps 1 – 6 no problem.
Step 7 run DDS was done after a fresh boot but before FixNCR and RKill – no problem.
Step 8 GMER Log, the rogue killed it and made it unusable and tricky to delete, but I am able to reinstall. However I was able to take a screen shot of the first screen where the parameters are set and have attached a zip of that if that is any help. Once I hit the scan button, Gmer is gone.

On the brighter side it is amusing to me to watch RKill work or do battle with this rogue. The screen flashes, the icons blink, RKill’s window appears and disappears, finally to come back just about the time I think it’s DOA asking for just a few seconds more patience and finally seemingly breathless, a final report. The only things missing are the laptop dancing on the desk and some sound effects. What a battle.

Hopefully there is a nice easy fix that I have not been able to find, and I sincerely appreciate the help from this site that I have found already.

Thank You
Noah

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by 32104 at 10:51:11 on 2011-07-30
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.641 [GMT -4:00]
.
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\linkinfo32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\authz32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.dell4me.com/myway
BHO: {0000bf1a-5389-4173-8d60-bd3ba5fb8597} - c:\windows\system32\authz32.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
EB: Developer Tools: {1a6fe369-f28c-4ad9-a3e6-2bcb50807cf1} - c:\program files\internet explorer\iedvtool.dll
uRun: [Icufofepo] rundll32.exe "c:\windows\mpwiapc1.dll",Startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Phozifijore] rundll32.exe "c:\windows\ocecuhayaticu.dll",Startup
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [793810402] c:\documents and settings\networkservice\local settings\application data\hgx.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243800345342
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A2073D26-D476-41D6-9777-348CD1B996D0} : DhcpNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\32104\application data\mozilla\firefox\profiles\wrr1ak0r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.w3schools.com/default.asp
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\32104\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
.
============= SERVICES / DRIVERS ===============
.
R2 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2011-4-1 67400]
R2 SQLAgent$SQLEXPRESS32;SQL Server Agent (SQLEXPRESS) ;c:\windows\system32\linkinfo32.exe [2011-7-26 791552]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
.
=============== Created Last 30 ================
.
2011-07-28 23:53:56 20 ----a-w- c:\windows\system32\drivers\SMR200.dat
2011-07-28 23:53:55 83064 ----a-w- c:\windows\system32\drivers\SMR200.SYS
2011-07-28 23:53:41 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-07-28 23:53:41 -------- d-----w- c:\documents and settings\32104\local settings\application data\NPE
2011-07-28 23:48:51 -------- d-----w- c:\windows\pss
2011-07-28 20:30:16 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-07-28 20:30:16 -------- d-----w- c:\documents and settings\32104\application data\SUPERAntiSpyware.com
2011-07-28 20:29:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-28 17:00:47 -------- d--h--w- c:\windows\PIF
2011-07-28 16:39:59 -------- d-----w- c:\documents and settings\32104\application data\Malwarebytes
2011-07-28 16:38:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-28 16:38:26 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-28 16:38:22 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-28 16:38:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-28 14:43:31 358912 ----a-w- c:\windows\system32\authz32.dll
2011-07-28 07:22:51 0 ----a-w- c:\windows\Fwomu.bin
2011-07-28 07:22:49 -------- d-----w- c:\documents and settings\32104\local settings\application data\{0747BF70-5F23-4AD4-97FB-33EF0D578EF0}
2011-07-28 07:21:11 63488 --sha-r- c:\windows\system32\themeui4.dll
2011-07-28 07:21:11 63488 --sha-r- c:\windows\system32\Setupr.dll
2011-07-28 07:21:11 63488 --sha-r- c:\windows\system32\makecabj.dll
2011-07-28 04:20:48 791552 ----a-w- c:\windows\system32\authz32.exe
2011-07-27 01:45:52 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{ed09b3b9-7361-46be-adbd-84cf9a302b51}\mpengine.dll
2011-07-26 06:36:47 791552 ----a-w- c:\windows\system32\linkinfo32.exe
2011-07-22 12:48:30 0 ---ha-w- c:\documents and settings\32104\itqsytnghv.tmp
.
==================== Find3M ====================
.
2011-06-21 15:20:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-24 00:00:39 15360 ----a-w- c:\windows\system32\ctfmon.exe
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK4026GAX rev.PA102D -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86D46AA0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86FCEAB8]
3 CLASSPNP[0xF7587FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86C76030]
\Driver\00001157[0x86E7CF38] -> IRP_MJ_CREATE -> 0x86D46AA0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86EF731B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:52:44.78 ===============

GMER Log not available see attached GmerScreenShot.zip

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 08 August 2011 - 08:25 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on http://www.bleepingcomputer.com/logreply/412068 and follow the instructions there. If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Noah Body

Noah Body
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 08 August 2011 - 09:37 AM

Hello and thanks for getting back to me.
Since my last post I have,




Scanned with TDSSKiller With success, logs available.

Windows Firewall was able to be turned back on.

Scanned with Super Anti Spyware with success, logs available.

Scanned with MBAM with success, logs available.



Things seemed to be going in the right direction, scanned with DDS and Gmer, log files are available, but noticed in folder windows\system32\authz32.exe still remained. Not to be confused with MS file authz.exe in the same folder. Authz32.exe in not deleteable, and if forced, it reappears.



After a short time and a reboot, something got mad and has now disabled:

Windows Firewall

System Restore

My LAN connection (internet access)

TDSSKiller

MBAM

Super Anti Spyware



My only means to download to my infected laptop is through a flash drive or dvd/cd rom drive.

My Windows OEM software is installed on the laptop in a hidden partition on the HD



Rkill will run but does not list any malware that it stopped.



DDS and Gmer were able to scan and create a log.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by 32104 at 16:04:09 on 2011-08-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.669 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\linkinfo32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\authz32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.dell4me.com/myway
BHO: {0000bf1a-5389-4173-8d60-bd3ba5fb8597} - c:\windows\system32\authz32.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
EB: Developer Tools: {1a6fe369-f28c-4ad9-a3e6-2bcb50807cf1} - c:\program files\internet explorer\iedvtool.dll
uRun: [Icufofepo] rundll32.exe "c:\windows\mpwiapc1.dll",Startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Phozifijore] rundll32.exe "c:\windows\ocecuhayaticu.dll",Startup
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243800345342
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A2073D26-D476-41D6-9777-348CD1B996D0} : DhcpNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\32104\application data\mozilla\firefox\profiles\wrr1ak0r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.w3schools.com/default.asp
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\32104\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-8-4 353168]
R2 SQLAgent$SQLEXPRESS32;SQL Server Agent (SQLEXPRESS) ;c:\windows\system32\linkinfo32.exe [2011-7-26 791552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2011-4-1 67400]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
.
=============== Created Last 30 ================
.
2011-08-05 01:27:13 358912 ----a-w- c:\windows\system32\authz32.dll
2011-08-04 15:53:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-03 00:10:13 44560 --sha-w- c:\windows\system32\c_56300.nl_
2011-07-28 23:53:56 20 ----a-w- c:\windows\system32\drivers\SMR200.dat
2011-07-28 23:53:55 83064 ----a-w- c:\windows\system32\drivers\SMR200.SYS
2011-07-28 23:53:41 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-07-28 23:53:41 -------- d-----w- c:\documents and settings\32104\local settings\application data\NPE
2011-07-28 23:48:51 -------- d-----w- c:\windows\pss
2011-07-28 17:00:47 -------- d--h--w- c:\windows\PIF
2011-07-28 16:39:59 -------- d-----w- c:\documents and settings\32104\application data\Malwarebytes
2011-07-28 16:38:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-28 16:38:26 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-28 16:38:22 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-28 16:38:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-28 07:22:51 0 ----a-w- c:\windows\Fwomu.bin
2011-07-28 07:22:49 -------- d-----w- c:\documents and settings\32104\local settings\application data\{0747BF70-5F23-4AD4-97FB-33EF0D578EF0}
2011-07-28 07:21:11 63488 --sha-r- c:\windows\system32\themeui4.dll
2011-07-28 07:21:11 63488 --sha-r- c:\windows\system32\Setupr.dll
2011-07-28 07:21:11 63488 --sha-r- c:\windows\system32\makecabj.dll
2011-07-28 04:20:48 791552 ------w- c:\windows\system32\authz32.exe
2011-07-26 06:36:47 791552 ------w- c:\windows\system32\linkinfo32.exe
2011-07-22 12:48:30 0 ---ha-w- c:\documents and settings\32104\itqsytnghv.tmp
.
==================== Find3M ====================
.
2011-08-05 02:20:50 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-05 02:11:38 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-03 01:03:14 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-08-03 00:57:25 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-03 00:49:54 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-06-21 15:20:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-24 00:00:39 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
============= FINISH: 16:05:22.15 ===============

I hope this helps
Noah

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 PM

Posted 08 August 2011 - 08:14 PM

Hi,

see if you can boot into safe mode with networking and get internet access - if not, download the following program to a USB on another machine, it will run from the USB stick

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Noah Body

Noah Body
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 08 August 2011 - 10:47 PM

Hi CatByte
Thanks a million for getting back to me. I was able to run Combo fix but not with a network connection so MS Windows Recovery Console did not get installed. It does appear that ComboFix was able to make some repairs though. After the CF's last boot while preparing the log I did get 2 error messages:

Error Loading C:\Windows\ocecuhayaticu.dll
The specified module could not be found. OK

Error Loading C:\Windows\mpwiapc1.dll
The specified module could not be found. OK I clicked okay twice and the log was produced.

After saving the log I briefly tried the LAN and it appears to be repaired and the computer seems to be a little faster. After the major steps backwards the other day though I am hesitant to do anything until you see the recent log.

I did look at running processes and noticed Authz32.exe was still present and wanted to pass along the file's properties.
C:\Windows\system32\authz32.dll
C:\Windows\system32\authz32.exe
File Version 5.2.0.0
Description Crow
Copyright Copyright © Slit Rice 2003-2009
Other Version Information
Company Crane Dusky Rafts Bozo
File Version 5.2
Internal Name Stump
Language English (United States)
Original File Name Beans.exe
Product Name Pans Edict
Product Version 5.2

infolink32.exe has the same info as properties

Here is the ComboFix Log:
ComboFix 11-08-05.01 - 32104 08/08/2011 22:48:49.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.660 [GMT -4:00]
Running from: e:\combo fix install\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\32104\Application Data\Adobe\plugs
c:\documents and settings\32104\Application Data\Adobe\shed
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{6b4a08bc-4b07-4b06-a9c5-fd075eb2a42f}
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{6b4a08bc-4b07-4b06-a9c5-fd075eb2a42f}\chrome.manifest
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{6b4a08bc-4b07-4b06-a9c5-fd075eb2a42f}\chrome\xulcache.jar
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{6b4a08bc-4b07-4b06-a9c5-fd075eb2a42f}\defaults\preferences\xulcache.js
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{6b4a08bc-4b07-4b06-a9c5-fd075eb2a42f}\install.rdf
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{7bc03c3f-8433-4320-a082-13a90ac0cd1c}
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{7bc03c3f-8433-4320-a082-13a90ac0cd1c}\chrome.manifest
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{7bc03c3f-8433-4320-a082-13a90ac0cd1c}\chrome\xulcache.jar
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{7bc03c3f-8433-4320-a082-13a90ac0cd1c}\defaults\preferences\xulcache.js
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{7bc03c3f-8433-4320-a082-13a90ac0cd1c}\install.rdf
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{96f990ee-558b-4b26-83d9-281306d64c30}
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{96f990ee-558b-4b26-83d9-281306d64c30}\chrome.manifest
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{96f990ee-558b-4b26-83d9-281306d64c30}\chrome\xulcache.jar
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{96f990ee-558b-4b26-83d9-281306d64c30}\defaults\preferences\xulcache.js
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{96f990ee-558b-4b26-83d9-281306d64c30}\install.rdf
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b0c0d79d-fe61-4c32-bea3-b54a1236d807}
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b0c0d79d-fe61-4c32-bea3-b54a1236d807}\chrome.manifest
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b0c0d79d-fe61-4c32-bea3-b54a1236d807}\chrome\xulcache.jar
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b0c0d79d-fe61-4c32-bea3-b54a1236d807}\defaults\preferences\xulcache.js
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b0c0d79d-fe61-4c32-bea3-b54a1236d807}\install.rdf
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b2276c69-1cc2-4fc4-b5df-f41a7fe3329d}
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b2276c69-1cc2-4fc4-b5df-f41a7fe3329d}\chrome.manifest
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b2276c69-1cc2-4fc4-b5df-f41a7fe3329d}\chrome\xulcache.jar
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b2276c69-1cc2-4fc4-b5df-f41a7fe3329d}\defaults\preferences\xulcache.js
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b2276c69-1cc2-4fc4-b5df-f41a7fe3329d}\install.rdf
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{df8622b9-b0c2-4eeb-865e-6fdf7141462e}
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{df8622b9-b0c2-4eeb-865e-6fdf7141462e}\chrome.manifest
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{df8622b9-b0c2-4eeb-865e-6fdf7141462e}\chrome\xulcache.jar
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{df8622b9-b0c2-4eeb-865e-6fdf7141462e}\defaults\preferences\xulcache.js
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{df8622b9-b0c2-4eeb-865e-6fdf7141462e}\install.rdf
c:\documents and settings\32104\itqsytnghv.tmp
c:\documents and settings\32104\Local Settings\Application Data\{0747BF70-5F23-4AD4-97FB-33EF0D578EF0}
c:\documents and settings\32104\Local Settings\Application Data\{0747BF70-5F23-4AD4-97FB-33EF0D578EF0}\chrome.manifest
c:\documents and settings\32104\Local Settings\Application Data\{0747BF70-5F23-4AD4-97FB-33EF0D578EF0}\chrome\content\_cfg.js
c:\documents and settings\32104\Local Settings\Application Data\{0747BF70-5F23-4AD4-97FB-33EF0D578EF0}\chrome\content\overlay.xul
c:\documents and settings\32104\Local Settings\Application Data\{0747BF70-5F23-4AD4-97FB-33EF0D578EF0}\install.rdf
c:\documents and settings\32104\WINDOWS
c:\windows\$NtUninstallKB22700$
c:\windows\$NtUninstallKB22700$\12046292
c:\windows\$NtUninstallKB22700$\29140719\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB22700$\29140719\click.tlb
c:\windows\$NtUninstallKB22700$\29140719\L\odetmngk
c:\windows\$NtUninstallKB22700$\29140719\loader.tlb
c:\windows\$NtUninstallKB22700$\29140719\U\@00000001
c:\windows\$NtUninstallKB22700$\29140719\U\@000000c0
c:\windows\$NtUninstallKB22700$\29140719\U\@000000cb
c:\windows\$NtUninstallKB22700$\29140719\U\@000000cf
c:\windows\$NtUninstallKB22700$\29140719\U\@80000000
c:\windows\$NtUninstallKB22700$\29140719\U\@800000c0
c:\windows\$NtUninstallKB22700$\29140719\U\@800000cb
c:\windows\$NtUninstallKB22700$\29140719\U\@800000cf
c:\windows\mpwiapc1.dll
c:\windows\ocecuhayaticu.dll
c:\windows\system32\c_56300.nls
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))
.
.
2011-08-09 02:43 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-09 02:43 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2011-08-05 01:27 . 2011-08-05 01:27 358912 ----a-w- c:\windows\system32\authz32.dll
2011-08-04 15:53 . 2011-08-05 04:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-03 00:10 . 2011-08-05 02:21 44560 --sha-w- c:\windows\system32\c_56300.nl_
2011-07-28 23:53 . 2011-07-28 23:53 20 ----a-w- c:\windows\system32\drivers\SMR200.dat
2011-07-28 23:53 . 2011-07-28 23:53 83064 ----a-w- c:\windows\system32\drivers\SMR200.SYS
2011-07-28 23:53 . 2011-07-28 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-07-28 23:53 . 2011-07-28 23:53 -------- d-----w- c:\documents and settings\32104\Local Settings\Application Data\NPE
2011-07-28 17:00 . 2011-07-28 17:00 -------- d--h--w- c:\windows\PIF
2011-07-28 16:39 . 2011-07-28 16:39 -------- d-----w- c:\documents and settings\32104\Application Data\Malwarebytes
2011-07-28 16:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-28 16:38 . 2011-07-28 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-28 16:38 . 2011-08-05 04:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-28 16:38 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-28 08:36 . 2011-07-28 08:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-07-28 07:22 . 2011-08-08 13:42 0 ----a-w- c:\windows\Fwomu.bin
2011-07-28 07:21 . 2011-07-28 07:21 63488 --sha-r- c:\windows\system32\themeui4.dll
2011-07-28 07:21 . 2011-07-28 07:21 63488 --sha-r- c:\windows\system32\Setupr.dll
2011-07-28 07:21 . 2011-07-28 07:21 63488 --sha-r- c:\windows\system32\makecabj.dll
2011-07-28 04:20 . 2011-07-26 06:36 791552 ------w- c:\windows\system32\authz32.exe
2011-07-28 03:57 . 2011-07-28 03:58 -------- d-----w- c:\documents and settings\Administrator
2011-07-26 06:36 . 2011-07-26 06:36 791552 ------w- c:\windows\system32\linkinfo32.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-05 02:20 . 2004-08-04 04:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-05 02:11 . 2005-12-11 18:10 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-03 01:03 . 2004-08-10 18:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-08-03 00:57 . 2008-06-20 11:40 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-03 00:49 . 2004-08-10 18:59 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-06-21 15:20 . 2011-06-05 14:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-10 18:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14 . 2009-10-06 14:35 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-24 00:00 . 2004-08-10 18:51 15360 ----a-w- c:\windows\system32\ctfmon.exe
2011-05-23 15:53 . 2011-05-23 14:25 565248 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2011-04-14 16:26 . 2011-05-05 19:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0000BF1A-5389-4173-8D60-BD3BA5FB8597}]
2011-08-05 01:27 358912 ----a-w- c:\windows\system32\authz32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-11 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2011-05-24 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [8/4/2011 4:46 PM 353168]
R2 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [4/1/2011 8:17 PM 67400]
R2 SQLAgent$SQLEXPRESS32;SQL Server Agent (SQLEXPRESS) ;c:\windows\system32\linkinfo32.exe [7/26/2011 2:36 AM 791552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/28/2011 12:38 PM 41272]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [4/3/2010 2:56 PM 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [4/3/2010 11:02 AM 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [4/3/2010 2:56 PM 367456]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.w3schools.com/default.asp
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Icufofepo - c:\windows\mpwiapc1.dll
HKLM-Run-Phozifijore - c:\windows\ocecuhayaticu.dll
SafeBoot-21007347.sys
SafeBoot-22952319.sys
SafeBoot-33738607.sys
SafeBoot-35755379.sys
SafeBoot-58951978.sys
SafeBoot-60001075.sys
SafeBoot-69431537.sys
SafeBoot-71307286.sys
SafeBoot-93173363.sys
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\32104\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-08 22:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2036)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\authz32.exe
.
**************************************************************************
.
Completion time: 2011-08-08 23:02:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-09 03:02
.
Pre-Run: 17,994,997,760 bytes free
Post-Run: 18,083,168,256 bytes free
.
- - End Of File - - 44215A6645A9CF97527E61E225BCC15C

Thanks for your help on this
Noah

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 PM

Posted 09 August 2011 - 06:44 AM

Hi,

Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic412068.html/page__pid__2364960#entry2364960

Collect::
c:\windows\system32\authz32.dll
c:\windows\system32\c_56300.nl_
c:\windows\system32\themeui4.dll
c:\windows\system32\Setupr.dll
c:\windows\system32\makecabj.dll
c:\windows\system32\authz32.exe
c:\windows\system32\linkinfo32.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0000BF1A-5389-4173-8D60-BD3BA5FB8597}]

File::
c:\windows\Fwomu.bin

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Noah Body

Noah Body
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 09 August 2011 - 08:58 AM

Good Morning CatByte
Ran CB as instructed, at the time it would not install the Recovery Console, but CB did run through the 50 stages faster than the first time. After the deleting files portion, I received the message:
Crow
Crow has encountered a problem and needs to close. DEBUG OK I ignored it and after a few that dissappeared, the pc rebooted and provided the log.
I am posting this from the infected laptop, so we are definately makeing progress.
I need to install an A/V, Windows Defender was killed by this thing. I am looking at using AVG, any thoughts?
ComboFix Log:

ComboFix 11-08-05.01 - 32104 08/09/2011 9:25.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.585 [GMT -4:00]
Running from: c:\documents and settings\32104\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\32104\Desktop\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
FILE ::
"c:\windows\Fwomu.bin"
.
file zipped: c:\windows\system32\authz32.dll
file zipped: c:\windows\system32\authz32.exe
file zipped: c:\windows\system32\c_56300.nl_
file zipped: c:\windows\system32\linkinfo32.exe
file zipped: c:\windows\system32\makecabj.dll
file zipped: c:\windows\system32\Setupr.dll
file zipped: c:\windows\system32\themeui4.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{921ee093-e5ba-42f1-85c2-a9f64355c1a3}
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{921ee093-e5ba-42f1-85c2-a9f64355c1a3}\chrome.manifest
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{921ee093-e5ba-42f1-85c2-a9f64355c1a3}\chrome\xulcache.jar
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{921ee093-e5ba-42f1-85c2-a9f64355c1a3}\defaults\preferences\xulcache.js
c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{921ee093-e5ba-42f1-85c2-a9f64355c1a3}\install.rdf
c:\documents and settings\32104\itqsytnghv.tmp
c:\windows\Fwomu.bin
c:\windows\system32\authz32.dll
c:\windows\system32\authz32.exe
c:\windows\system32\c_56300.nl_
c:\windows\system32\linkinfo32.exe
c:\windows\system32\makecabj.dll
c:\windows\system32\Setupr.dll
c:\windows\system32\themeui4.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SQLAgent$SQLEXPRESS32
-------\Service_SQLAgent$SQLEXPRESS32
.
.
((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))
.
.
2011-08-09 13:30 . 2011-07-26 06:36 791552 ----a-w- c:\windows\system32\msaudite32.exe
2011-08-09 02:43 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-09 02:43 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2011-08-04 15:53 . 2011-08-05 04:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-28 23:53 . 2011-07-28 23:53 20 ----a-w- c:\windows\system32\drivers\SMR200.dat
2011-07-28 23:53 . 2011-07-28 23:53 83064 ----a-w- c:\windows\system32\drivers\SMR200.SYS
2011-07-28 23:53 . 2011-07-28 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-07-28 23:53 . 2011-07-28 23:53 -------- d-----w- c:\documents and settings\32104\Local Settings\Application Data\NPE
2011-07-28 17:00 . 2011-07-28 17:00 -------- d--h--w- c:\windows\PIF
2011-07-28 16:39 . 2011-07-28 16:39 -------- d-----w- c:\documents and settings\32104\Application Data\Malwarebytes
2011-07-28 16:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-28 16:38 . 2011-07-28 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-28 16:38 . 2011-08-05 04:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-28 16:38 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-28 08:36 . 2011-07-28 08:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-07-28 03:57 . 2011-07-28 03:58 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-05 02:20 . 2004-08-04 04:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-05 02:11 . 2005-12-11 18:10 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-03 01:03 . 2004-08-10 18:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-08-03 00:57 . 2008-06-20 11:40 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-03 00:49 . 2004-08-10 18:59 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-06-21 15:20 . 2011-06-05 14:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-10 18:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14 . 2009-10-06 14:35 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-24 00:00 . 2004-08-10 18:51 15360 ----a-w- c:\windows\system32\ctfmon.exe
2011-05-23 15:53 . 2011-05-23 14:25 565248 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2011-04-14 16:26 . 2011-05-05 19:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-09_02.57.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-09 13:32 . 2011-08-09 13:32 16384 c:\windows\Temp\Perflib_Perfdata_594.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-11 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2011-05-24 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [8/4/2011 4:46 PM 353168]
R2 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [4/1/2011 8:17 PM 67400]
R2 winmgmt32;Windows Management Instrumentation ;c:\windows\system32\msaudite32.exe [8/9/2011 9:30 AM 791552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/28/2011 12:38 PM 41272]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [4/3/2010 2:56 PM 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [4/3/2010 11:02 AM 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [4/3/2010 2:56 PM 367456]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.w3schools.com/default.asp
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-09 09:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1656)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\authz32.exe
.
**************************************************************************
.
Completion time: 2011-08-09 09:37:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-09 13:37
ComboFix2.txt 2011-08-09 03:02
.
Pre-Run: 18,091,200,512 bytes free
Post-Run: 18,067,070,976 bytes free
.
- - End Of File - - E620F8D08509DEE8C40A5D012C71A832

Thanks again for the help It is a great thing you folks are doing.
Noah

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 PM

Posted 09 August 2011 - 05:40 PM

Hi

I'd give Microsoft Security Essentials a try, it's excellent and free

http://www.microsoft.com/security_essentials/

we still have more work to do, so please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic412068.html/page__pid__2365250#entry2365250

Collect::
c:\windows\system32\msaudite32.exe
c:\windows\system32\authz32.exe

Driver::
winmgmt32


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Noah Body

Noah Body
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 09 August 2011 - 08:19 PM

Hi CatByte

Thanks I will try MS Essentials again, I had d/l'd it last week, but this business just steam rolled it with everything else. I am just trying out AVG on my desktop, just getting used to it. I had
Windows Defender on both machines and Norton before that. Oh well.

ComboFix ran with no error messages this time and since I was connected to the internet it loaded an update and installed the recovery console.
I inserted the cfscript.text file as indicated.

ComboFix 11-08-09.02 - 32104 08/09/2011 19:24:22.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.606 [GMT -4:00]
Running from: c:\documents and settings\32104\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\32104\Desktop\cfscript.txt
.
file zipped: c:\windows\system32\msaudite32.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\msaudite32.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_WINMGMT32
-------\Service_winmgmt32
.
.
((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))
.
.
2011-08-09 02:43 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-09 02:43 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2011-08-04 15:53 . 2011-08-05 04:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-28 23:53 . 2011-07-28 23:53 20 ----a-w- c:\windows\system32\drivers\SMR200.dat
2011-07-28 23:53 . 2011-07-28 23:53 83064 ----a-w- c:\windows\system32\drivers\SMR200.SYS
2011-07-28 23:53 . 2011-07-28 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-07-28 23:53 . 2011-07-28 23:53 -------- d-----w- c:\documents and settings\32104\Local Settings\Application Data\NPE
2011-07-28 17:00 . 2011-07-28 17:00 -------- d--h--w- c:\windows\PIF
2011-07-28 16:39 . 2011-07-28 16:39 -------- d-----w- c:\documents and settings\32104\Application Data\Malwarebytes
2011-07-28 16:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-28 16:38 . 2011-07-28 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-28 16:38 . 2011-08-05 04:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-28 16:38 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-28 08:36 . 2011-07-28 08:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-07-28 03:57 . 2011-07-28 03:58 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-05 02:20 . 2004-08-04 04:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-05 02:11 . 2005-12-11 18:10 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-03 01:03 . 2004-08-10 18:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-08-03 00:57 . 2008-06-20 11:40 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-03 00:49 . 2004-08-10 18:59 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-06-21 15:20 . 2011-06-05 14:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-10 18:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14 . 2009-10-06 14:35 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-24 00:00 . 2004-08-10 18:51 15360 ----a-w- c:\windows\system32\ctfmon.exe
2011-05-23 15:53 . 2011-05-23 14:25 565248 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2011-04-14 16:26 . 2011-05-05 19:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-09_02.57.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-09 23:30 . 2011-08-09 23:30 16384 c:\windows\Temp\Perflib_Perfdata_20c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-11 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2011-05-24 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
.
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [8/4/2011 4:46 PM 353168]
R2 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [4/1/2011 8:17 PM 67400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/28/2011 12:38 PM 41272]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [4/3/2010 2:56 PM 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [4/3/2010 11:02 AM 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [4/3/2010 2:56 PM 367456]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.w3schools.com/default.asp
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-09 19:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2396)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
.
**************************************************************************
.
Completion time: 2011-08-09 19:35:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-09 23:34
ComboFix2.txt 2011-08-09 13:37
ComboFix3.txt 2011-08-09 03:02
.
Pre-Run: 18,026,508,288 bytes free
Post-Run: 18,005,200,896 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 7CCDB95BB78872B3FCD14991286B7237
Upload was successful


MBAM ran its scan with no problem

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7422

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/9/2011 7:49:01 PM
mbam-log-2011-08-09 (19-49-01).txt

Scan type: Quick scan
Objects scanned: 169545
Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Eset Scan ran with no problem.

C:\Documents and Settings\32104\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\adbhfcbddhpincahoengeleclpkjblgc\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\32104\My Documents\Downloads\Software Downloads 2011\Orbit Downloader 4.0.0.7\OrbitDownloaderSetup.exe Win32/OpenCandy application
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE Win32/Patched.HN trojan
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe Win32/Patched.HN trojan
C:\Program Files\Java\jre6\bin\jqs.exe Win32/Patched.HN trojan
C:\Program Files\Microsoft LifeCam\MSCamS32.exe Win32/Patched.HN trojan
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe Win32/Patched.HN trojan
C:\Qoobox\Quarantine\[4]-Submit_2011-08-09_09.25.34.zip multiple threats
C:\Qoobox\Quarantine\[4]-Submit_2011-08-09_19.24.17.zip Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{6b4a08bc-4b07-4b06-a9c5-fd075eb2a42f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{6b4a08bc-4b07-4b06-a9c5-fd075eb2a42f}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{7bc03c3f-8433-4320-a082-13a90ac0cd1c}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{7bc03c3f-8433-4320-a082-13a90ac0cd1c}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{921ee093-e5ba-42f1-85c2-a9f64355c1a3}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{921ee093-e5ba-42f1-85c2-a9f64355c1a3}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{96f990ee-558b-4b26-83d9-281306d64c30}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{96f990ee-558b-4b26-83d9-281306d64c30}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b0c0d79d-fe61-4c32-bea3-b54a1236d807}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b0c0d79d-fe61-4c32-bea3-b54a1236d807}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b2276c69-1cc2-4fc4-b5df-f41a7fe3329d}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b2276c69-1cc2-4fc4-b5df-f41a7fe3329d}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{df8622b9-b0c2-4eeb-865e-6fdf7141462e}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{df8622b9-b0c2-4eeb-865e-6fdf7141462e}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\WINDOWS\mpwiapc1.dll.vir a variant of Win32/Cimag.HT trojan
C:\Qoobox\Quarantine\C\WINDOWS\ocecuhayaticu.dll.vir a variant of Win32/Kryptik.RAA trojan
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.CH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\authz32.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_authz32_.exe.zip Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ipsec.sys.vir a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000002.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000003.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000010.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000037.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000038.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000064.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000065.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000070.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000083.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000084.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000088.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000443.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000462.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000463.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000500.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000501.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000502.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000503.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000504.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000505.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000507.dll a variant of Win32/Cimag.HT trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000508.dll a variant of Win32/Kryptik.RAA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000687.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000688.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0000877.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000107.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000110.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000111.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000115.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000137.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000142.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000143.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000147.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000159.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000160.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000164.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000169.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000194.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000209.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000218.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000237.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000257.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0000385.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP8\A0000399.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0000431.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0000442.manifest Win32/TrojanDownloader.Tracur.F trojan
Operating memory Win32/Patched.HN trojan


Feels like we are getting there, Thanks for your help, it really is appreciated!
Noah




#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 PM

Posted 09 August 2011 - 08:32 PM

Hi,

your machine has a pesky infection that is difficult to get rid of as it infects some of your machines program files,

some are easy to fix, just by uninstalling then re-installing the program, others aren't so easily uninstalled

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE Win32/Patched.HN trojan
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe Win32/Patched.HN trojan
C:\Program Files\Java\jre6\bin\jqs.exe Win32/Patched.HN trojan
C:\Program Files\Microsoft LifeCam\MSCamS32.exe Win32/Patched.HN trojan
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe Win32/Patched.HN trojan

here you can probably uninstall Java, clear the java caxhe, then download the latest Java

Click Start > Control Panel.
Double-click the Java icon in the control panel.
The Java Control Panel appears.
Click Settings under Temporary Internet Files.
The Temporary Files Settings dialog box appears.

There are three options on this window to clear the cache.

  • Delete Files
  • View Applications
  • View Applets


Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
Click OK on Temporary Files Settings window.


The Microsoft Files might be easy enough to re-install as well,


try giving the trial version of Kaspersky Anti Virus a run:

Set it to clean the infection, not delete or quarantine, let me know how you get on:


(hold off on installing the Microsoft Security Essentials until we have finished using Kaspersky)

http://www.kaspersky.com/anti-virus_trial

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Noah Body

Noah Body
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 09 August 2011 - 10:59 PM

Hi
I deleted the temp files with no problem.

Tried to install Kaspersky A/V kav12.0.0.374en.exe but could not, got this error message:
The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed.
Contact your support personnel for assistance.
As the install was being closed out a new option popped up and said that it might be due to a virus that it could not be installed and that I could run the Kaspersky Virus removal tool instead, so I
did. As this was scanning and it came to the infected file I was offered the choice of Disinfect(Recommended), Delete or Skip. I chose disinfect and when that wasn't possible in a couple of the cases, I chose delete. I think that may haunt me later, we shall see. Not real comfortable with how that worked.

The Logs were in 2 parts. The short list was the Deletion/Disinfect shown below:

Status: Deleted (events: 4)
8/9/2011 11:17:29 PM Deleted Trojan program Trojan.Win32.Patched.mf C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe High
8/9/2011 11:17:29 PM Deleted Trojan program Trojan.Win32.Patched.mf C:\Program Files\Microsoft LifeCam\MSCamS32.exe High
8/9/2011 11:17:29 PM Deleted Trojan program Trojan.Win32.Patched.mf C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE High
8/9/2011 11:17:29 PM Deleted Trojan program Trojan.Win32.Patched.mf C:\Program Files\Java\jre6\bin\jqs.exe High
Status: Disinfected (events: 2)
8/9/2011 11:17:29 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe High
8/9/2011 11:10:25 PM Disinfected Trojan program Trojan.Win32.Patched.mf c:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe High

The second log was a big long list of "Object was not changed (iChecker)" so to save a little space, I zipped and attached it, hope you don't mind.
Noah

Attached Files



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 PM

Posted 10 August 2011 - 06:01 AM

Please re-run ComboFix, allow it to update if it asks to do so, then re-run the ESET on line scan - lets see if there are still any left over infected files, you may find you will need to re-install some programs, but I believe we are making progress here.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Noah Body

Noah Body
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 August 2011 - 07:57 AM

Good Morning
Don't you love this? I give you a lot of credit.
Combo Fix ran an update, went right through it's stages, did not need to reboot, had no error messages and produced the following report:

ComboFix 11-08-10.01 - 32104 08/10/2011 7:32.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.538 [GMT -4:00]
Running from: c:\documents and settings\32104\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-10 to 2011-08-10 )))))))))))))))))))))))))))))))
.
.
2011-08-10 00:02 . 2011-08-10 00:02 -------- d-----w- c:\program files\ESET
2011-08-09 02:43 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-09 02:43 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2011-07-28 23:53 . 2011-07-28 23:53 20 ----a-w- c:\windows\system32\drivers\SMR200.dat
2011-07-28 23:53 . 2011-07-28 23:53 83064 ----a-w- c:\windows\system32\drivers\SMR200.SYS
2011-07-28 23:53 . 2011-07-28 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-07-28 23:53 . 2011-07-28 23:53 -------- d-----w- c:\documents and settings\32104\Local Settings\Application Data\NPE
2011-07-28 17:00 . 2011-07-28 17:00 -------- d--h--w- c:\windows\PIF
2011-07-28 16:39 . 2011-07-28 16:39 -------- d-----w- c:\documents and settings\32104\Application Data\Malwarebytes
2011-07-28 16:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-28 16:38 . 2011-07-28 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-28 16:38 . 2011-08-05 04:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-28 16:38 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-28 08:36 . 2011-07-28 08:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-07-28 03:57 . 2011-07-28 03:58 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-05 02:20 . 2004-08-04 04:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-05 02:11 . 2005-12-11 18:10 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-03 01:03 . 2004-08-10 18:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-08-03 00:57 . 2008-06-20 11:40 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-03 00:49 . 2004-08-10 18:59 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-06-21 15:20 . 2011-06-05 14:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-10 18:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14 . 2009-10-06 14:35 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-24 00:00 . 2004-08-10 18:51 15360 ----a-w- c:\windows\system32\ctfmon.exe
2011-05-23 15:53 . 2011-05-23 14:25 565248 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2011-04-14 16:26 . 2011-05-05 19:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-11 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2011-05-24 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
.
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [8/4/2011 4:46 PM 353168]
R2 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [4/1/2011 8:17 PM 67400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [4/3/2010 2:56 PM 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [4/3/2010 11:02 AM 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [4/3/2010 2:56 PM 367456]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.w3schools.com/default.asp
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-10 07:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2964)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-10 07:41:14
ComboFix-quarantined-files.txt 2011-08-10 11:41
ComboFix2.txt 2011-08-09 23:36
ComboFix3.txt 2011-08-09 13:37
ComboFix4.txt 2011-08-09 03:02
.
Pre-Run: 17,701,691,392 bytes free
Post-Run: 17,786,458,112 bytes free
.
- - End Of File - - 626D75E6B702EA1DC9471C9BDA6701BD


Eset scanned without a problem

C:\Documents and Settings\32104\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\adbhfcbddhpincahoengeleclpkjblgc\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\32104\My Documents\Downloads\Software Downloads 2011\Orbit Downloader 4.0.0.7\OrbitDownloaderSetup.exe Win32/OpenCandy application
C:\Qoobox\Quarantine\[4]-Submit_2011-08-09_09.25.34.zip multiple threats
C:\Qoobox\Quarantine\[4]-Submit_2011-08-09_19.24.17.zip Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{6b4a08bc-4b07-4b06-a9c5-fd075eb2a42f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{6b4a08bc-4b07-4b06-a9c5-fd075eb2a42f}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{7bc03c3f-8433-4320-a082-13a90ac0cd1c}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{7bc03c3f-8433-4320-a082-13a90ac0cd1c}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{921ee093-e5ba-42f1-85c2-a9f64355c1a3}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{921ee093-e5ba-42f1-85c2-a9f64355c1a3}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{96f990ee-558b-4b26-83d9-281306d64c30}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{96f990ee-558b-4b26-83d9-281306d64c30}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b0c0d79d-fe61-4c32-bea3-b54a1236d807}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b0c0d79d-fe61-4c32-bea3-b54a1236d807}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b2276c69-1cc2-4fc4-b5df-f41a7fe3329d}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b2276c69-1cc2-4fc4-b5df-f41a7fe3329d}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{df8622b9-b0c2-4eeb-865e-6fdf7141462e}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{df8622b9-b0c2-4eeb-865e-6fdf7141462e}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\WINDOWS\mpwiapc1.dll.vir a variant of Win32/Cimag.HT trojan
C:\Qoobox\Quarantine\C\WINDOWS\ocecuhayaticu.dll.vir a variant of Win32/Kryptik.RAA trojan
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.CH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\authz32.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_authz32_.exe.zip Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ipsec.sys.vir a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000002.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000003.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000010.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000037.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000038.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000064.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000065.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000070.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000083.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000084.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000088.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000443.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000462.sys a variant of Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000463.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000500.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000501.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000502.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000503.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000504.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000505.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000507.dll a variant of Win32/Cimag.HT trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000508.dll a variant of Win32/Kryptik.RAA trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000687.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0000688.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0000877.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000107.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000110.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000111.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000115.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000137.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000142.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000143.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000147.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000159.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000160.ini a variant of Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0000164.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000169.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0000194.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000209.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000218.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000237.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP6\A0000257.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0000385.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP8\A0000399.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0000431.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0000442.manifest Win32/TrojanDownloader.Tracur.F trojan

Just a few things to do,,, I can't wait. Thank you for plugging away at this.
Noah




#14 Noah Body

Noah Body
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 August 2011 - 09:50 AM

Hello CatByte

I'm back with an update. I went ahead and deleted;
C:\Documents and Settings\32104\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\adbhfcbddhpincahoengeleclpkjblgc\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\32104\My Documents\Downloads\Software Downloads 2011\Orbit Downloader 4.0.0.7\OrbitDownloaderSetup.exe Win32/OpenCandy application
And all the old restore points and after a reboot, restarted System Restore with a clean slate. I ran Eset again and the results are:

C:\Qoobox\Quarantine\[4]-Submit_2011-08-09_09.25.34.zip multiple threats
C:\Qoobox\Quarantine\[4]-Submit_2011-08-09_19.24.17.zip Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{6b4a08bc-4b07-4b06-a9c5-fd075eb2a42f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{6b4a08bc-4b07-4b06-a9c5-fd075eb2a42f}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{7bc03c3f-8433-4320-a082-13a90ac0cd1c}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{7bc03c3f-8433-4320-a082-13a90ac0cd1c}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{921ee093-e5ba-42f1-85c2-a9f64355c1a3}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{921ee093-e5ba-42f1-85c2-a9f64355c1a3}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{96f990ee-558b-4b26-83d9-281306d64c30}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{96f990ee-558b-4b26-83d9-281306d64c30}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b0c0d79d-fe61-4c32-bea3-b54a1236d807}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b0c0d79d-fe61-4c32-bea3-b54a1236d807}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b2276c69-1cc2-4fc4-b5df-f41a7fe3329d}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{b2276c69-1cc2-4fc4-b5df-f41a7fe3329d}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{df8622b9-b0c2-4eeb-865e-6fdf7141462e}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\32104\Application Data\Mozilla\Firefox\Profiles\wrr1ak0r.default\extensions\{df8622b9-b0c2-4eeb-865e-6fdf7141462e}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\WINDOWS\mpwiapc1.dll.vir a variant of Win32/Cimag.HT trojan
C:\Qoobox\Quarantine\C\WINDOWS\ocecuhayaticu.dll.vir a variant of Win32/Kryptik.RAA trojan
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.CH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\authz32.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_authz32_.exe.zip Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ipsec.sys.vir a variant of Win32/Sirefef.CO trojan

I know that is Combo Fix's quarantine, all the little demons are right where they belong. Hope I didn't over step.

The big problem I have now is that I have Windows Defender installed, but it is in-operable, I can not uninstall or re install it. I am also finding out that I can not install MS Security Essentials or AVG. This software blames Windows Installer when the installation fails. I'm thinking registry, but your the boss. The Malware had disabled all this before.

Thanks
Noah

Edited by Noah Body, 10 August 2011 - 10:59 AM.


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:44 PM

Posted 10 August 2011 - 07:21 PM

Have a run through the trouble shooting steps on this site to see if anything helps

http://www.microsoft.com/en-us/security_essentials/Support/cf5220bd-3da8-4694-ac42-f5396ef5ff0b.aspx

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users