Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan Hider.MPR


  • This topic is locked This topic is locked
20 replies to this topic

#1 Kenickie

Kenickie

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 30 April 2012 - 05:14 PM

Hi,

My PC is infected with what AVG reports as Hider.MPR. This is detected by Resident Shield every time I boot up the computer, and you get the standard AVG "Threat Detected" dialogue box, where each time I choose to remove the threats. The infected files that it reports are:

\Local Settings\Temp\WEBRBARENIRIPGCQ.EXE
\Local Settings\Temp\MKEECULK.SYS

Deleting the first threat results in the termination of a process (with the same name) as well as removal of the file.

At various times it's reported the odd different file as well, such as

\Start Menu\Programs\Startup\FVDWYXSX.EXE

but it's not doing that at the moment.

Once these have been removed the PC seems to fuction mostly OK (ie it's not slow or anything), although the virus is still there and it's defending itself by disabling AVG and MBAM and stopping access to websites such as ESET and this one. When I reboot it all happens again.

I've tried a number of things to get rid of it with no success, as follows:

1. I've tried to run MBAM but it won't start - when you double click the icon nothing happens.
2. I've tried to run a full scan with AVG but this has been disabled. It scans nothing and reports a clean system. AVG's virus definition updates are also disabled, as is AVG's reporting that the update has failed.
3. I've tried to run an online ESET scan but access to the website is blocked.
4. I've tried to use a Dr Web boot disc to run a scan, but the virus definitions won't update and the scan won't run.
5. I've tried booting up in Safe Mode but that's disabled.
6. I've tried to use System Restore to return to before the infection but that had no effect.
7. I've tried to use the Recovery Console to do a system restore but I get "Access Denied" and "ren system system.bak" also fails.

That's the limit of my skills I'm afraid, which is why I need some help!! I'd be very grateful for any help you can give me. Oh, and I'm running XP Professional SP3 if that helps.

Thanks!!

Andy

-------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP at 21:06:07 on 2012-04-30
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3071.2461 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Squeezebox\SqueezeTray.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\PROGRA~1\SQUEEZ~1\server\SQUEEZ~3.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\documents and settings\hp\local settings\application data\wslkoxjh\fvdwyxsx.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [FvdWyxsx] c:\documents and settings\hp\local settings\application data\wslkoxjh\fvdwyxsx.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\squeezebox\SqueezeTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{31E4C301-CA6A-4084-AF27-499284A1CD9C} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AC2CB9FC-49AA-4E40-9475-1C62305B6895} : DhcpNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp\application data\mozilla\firefox\profiles\1m0njyn5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-3-26 2348352]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RaRegistry.exe [2010-1-6 185632]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [2010-1-6 19072]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-1-6 722432]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-7 253088]
S3 AEILAB;AEI USB To Fast Ethernet Adapter;c:\windows\system32\drivers\AEILAB.SYS [2008-10-10 24299]
S3 cpuz132;cpuz132;\??\c:\docume~1\hp\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\hp\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 pohci13F;pohci13F;c:\docume~1\hp\locals~1\temp\pohci13F.sys [2004-4-7 31744]
.
=============== Created Last 30 ================
.
2012-04-30 10:37:47 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-04-30 10:37:47 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-30 07:39:44 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-04-29 17:26:17 -------- d-----w- c:\documents and settings\hp\local settings\application data\wslkoxjh
2012-04-29 17:26:15 97240 ----a-w- c:\documents and settings\hp\0.2217911776818332.exe
2012-04-07 22:54:54 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-04-07 22:54:54 3072 ------w- c:\windows\system32\iacenc.dll
2012-04-07 12:25:24 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-04-25 21:30:03 342 ----a-w- c:\windows\wininit.tmp
2012-04-14 16:40:33 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 14:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-30 16:56:06 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2012-03-26 20:51:45 293992 -c--a-w- c:\windows\system32\nvdrsdb1.bin
2012-03-26 20:51:45 1 -c--a-w- c:\windows\system32\nvdrssel.bin
2012-03-26 20:51:39 293992 -c--a-w- c:\windows\system32\nvdrsdb0.bin
2012-03-10 14:36:57 1409 ----a-w- c:\windows\system32\tmpF03F7.FOT
2012-03-10 14:36:57 1409 ----a-w- c:\windows\system32\tmp941F7.FOT
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 23:58:00 881984 ----a-w- c:\windows\system32\nvgenco32.dll
2012-02-29 23:58:00 65536 ----a-w- c:\windows\system32\OpenCL.dll
2012-02-29 23:58:00 5918720 ----a-w- c:\windows\system32\nvcuda.dll
2012-02-29 23:58:00 2522944 ----a-w- c:\windows\system32\nvcuvid.dll
2012-02-29 23:58:00 2437440 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-02-29 23:58:00 17534976 ----a-w- c:\windows\system32\nvcompiler.dll
2012-02-29 23:58:00 1000256 ----a-w- c:\windows\system32\nvdispco32.dll
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
2012-02-16 12:51:18 1409 ----a-w- c:\windows\system32\tmp707C5.FOT
2012-02-16 12:51:18 1409 ----a-w- c:\windows\system32\tmp487C5.FOT
2012-02-15 13:49:02 1409 ----a-w- c:\windows\system32\tmp0C188.FOT
2012-02-15 13:49:01 1409 ----a-w- c:\windows\system32\tmp34188.FOT
2012-02-04 13:13:07 43520 -c--a-w- c:\windows\system32\CmdLineExt03.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 21:07:47.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:24 PM

Posted 30 April 2012 - 06:12 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 01 May 2012 - 05:25 AM

Hi,

Thanks for getting back to me. I've run Combofix and the results are attached.

The good news is that since the run I've managed to get AVG to do a manual rootkit scan, which threw up the usual hits on MKEECULK.SYS. However, it does seem to have had better success with removing it. Since rebooting the computer, AVG now updates and MBAM runs. AVG reports no more rootkits and MBAM removed a related registry key, and that aside they say the system is clean. The PC appears to be running normally. Although of course that doesn't mean it actually is!!

Andy

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:24 PM

Posted 01 May 2012 - 07:28 AM

Hi,

Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic452021.html/page__pid__2684698#entry2684698

Collect::
c:\documents and settings\HP\Local Settings\Application Data\wslkoxjh\fvdwyxsx.exe
c:\docume~1\HP\LOCALS~1\Temp\mkeeculk.sys
c:\docume~1\HP\LOCALS~1\Temp\pohci13F.sys

Folder::
c:\documents and settings\HP\Local Settings\Application Data\wslkoxjh

File::
c:\windows\system32\tmpF03F7.FOT
c:\windows\system32\tmp941F7.FOT
c:\windows\system32\tmp707C5.FOT
c:\windows\system32\tmp487C5.FOT
c:\windows\system32\tmp0C188.FOT
c:\windows\system32\tmp34188.FOT

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"

Driver::
Micorsoft Windows Service
pohci13F
MICORSOFT_WINDOWS_SERVICE

AtJob::

Rootkit::
c:\documents and settings\HP\Start Menu\Programs\Startup\fvdwyxsx.exe 

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 02 May 2012 - 02:48 AM

That's all done - results are attached.

One thing it's worth mentioning is that ComboFix said that a newer version was available and asked me if I wanted to update. I said "yes", so I hope that's OK.

Thanks for your help! :)

Andy

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:24 PM

Posted 02 May 2012 - 05:17 PM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 04 May 2012 - 03:08 AM

OK then, scans have been run and the results are pasted into this post. MBAM came back clean, and ESET had a couple of hits. I'm also still getting the occasional threat alert from AVG's Redident Shield, which always seem to refer to exe files in the system restore folders.

Andy

------------------------------------

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.03.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
HP :: COMPUTER2 [administrator]

03/05/2012 09:03:53
mbam-log-2012-05-03 (09-03-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 222552
Time elapsed: 12 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

------------------------------------

C:\Qoobox\Quarantine\C\Documents and Settings\HP\0.2217911776818332.exe.vir Win32/Ramnit.A virus
C:\Qoobox\Quarantine\C\Documents and Settings\HP\Local Settings\Application Data\wslkoxjh\_fvdwyxsx_.exe.zip Win32/Ramnit.A virus

------------------------------------

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:24 PM

Posted 04 May 2012 - 02:28 PM

Please do the following:

Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create,
when the confirmation screen shows the restore point has been created click Close.

Now remove all previous Restore Points:
Click Start > Run > copy and paste the following into the run box:

cleanmgr

Choose to scan drive C:\ (if C:\ is your main drive) At the top, click on More Options tab. Click the Clean up button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.


NEXT

The detection of ramnit is not a good sign, ramnit is a polymorphic file infector and a machine can never really be trusted once it has been infected with this type of infection and I normally recommend a total reformat and re-install, however, it is only infected in two files, so it may not have taken a hold and spread throughout your machine

run the following tool, then re-run ComboFix, then re-run the ESET online scanner to make certain there is no more trace of it:

Posted Image Please click HERE to download Kaspersky Virus Removal Tool (click on the Download link for Version 11).
NOTE. This is quite large file, so be patient.

  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop (be patient; it may take a while).
  • Accept license agreement and click "Start" button.
  • Click on Settings button Posted Image
    • In Scan scope leave pre-checked items as they're and also checkmark My Computer
    • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
  • Click on Automatic Scan tab and then click on Start scanning button.
  • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  • When the scan is done NO log will be produced.
  • Click on Report button Posted Image then on Automatic Scan report tab.
  • Right click anywhere within right pane, click Select All then right click again and click Copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.

Edited by CatByte, 07 May 2012 - 02:02 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 07 May 2012 - 01:46 PM

Apologies for the delay in replying, those scans took an awful long time to run! Sorted now. :)

Unfortunately a full reformat isn't an option because it's a second hand PC I got with Windows already installed, so I have no installation disks and as far as Microsoft are concerned I don't even own that copy of Windows. So hopefully we can clean it up without resorting to that!

After the Kaspersky run, if I followed your instructions exactly I either had one line of output basically saying "I did a run" or 400,000 lines listing the results for every single file scanned. I figured you were just after the interesting bits so I've just copied the results that weren't "OK". They are as follows:

--------------------------------

06/05/2012 14:44:04 Moved to Quarantine Trojans HEUR:Trojan.Win32.Generic High Probably C:\Qoobox\Quarantine\C\Documents and Settings\HP\Local Settings\Application Data\wslkoxjh\_fvdwyxsx_.exe.zip/fvdwyxsx.exe
06/05/2012 15:03:58 Detected Trojans HEUR:Trojan.Win32.Generic High Probably C:\Qoobox\Quarantine\C\Documents and Settings\HP\0.2217911776818332.exe.vir
06/05/2012 15:08:50 Moved to Quarantine Trojans HEUR:Trojan.Win32.Generic High Probably C:\Qoobox\Quarantine\C\Documents and Settings\HP\0.2217911776818332.exe.vir
06/05/2012 14:43:53 Detected Trojans HEUR:Trojan.Win32.Generic High Probably C:\Qoobox\Quarantine\C\Documents and Settings\HP\Local Settings\Application Data\wslkoxjh\_fvdwyxsx_.exe.zip/fvdwyxsx.exe

--------------------------------

ComboFix results are longer so they are attached - it asked if I wanted to update to a newer version again. ESET came out clean, so I'm hoping that's a good sign. :)

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:24 PM

Posted 07 May 2012 - 02:12 PM

One of the files regenerated, so let's see what another run will do

(allow ComboFix to update if it asks to do so:


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic452021.html/page__pid__2691441

Collect::
c:\documents and settings\HP\Local Settings\Application Data\wslkoxjh\fvdwyxsx.exe

File::
c:\windows\system32\tmp707C5.FOT
c:\windows\system32\tmp487C5.FOT
c:\windows\system32\tmp0C188.FOT
c:\windows\system32\tmp34188.FOT
c:\program files\HP\HP Deskjet 2050 J510 series\Bin\HPCustPartic.exe 

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FvdWyxsx"=-

AtJob::

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 07 May 2012 - 04:23 PM

Well I ran it, but there appeared to be a problem with my internet connection - not sure whether this was actually caused by ComboFix or whether it was just a coincidence, but either way I didn't get a dialogue box at the end, I just got the usual log in Notepad. So I'm guessing it didn't submit any files but I don't know. The log is attached anyway in case that's any use. Do you want me to re-run ComboFix?

Attached Files



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:24 PM

Posted 07 May 2012 - 05:51 PM

hi,

not sure why that file didn't collect as requested, perhaps it had been deleted previously?

these files have me a little bewildered

c:\windows\system32\tmp707C5.FOT

.FOT files are related to font files, but I am not sure why they are created as temporary files still. I haven't seen them on a system before.

Please try and upload one or two of them (they may not be able to be uploaded as they are temp files)


submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file c:\windows\system32\tmp34188.FOT
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


c:\windows\system32\tmp707C5.FOT
c:\windows\system32\tmp487C5.FOT
c:\windows\system32\tmp0C188.FOT


could you also run another on-line scan with ESET to see what it reports

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 08 May 2012 - 09:48 AM

Well I didn't delete anything after the ComboFix run myself, it was just that my internet connection went down sometime during it. I had to reboot the modem though so it may just have been that the timing was a coincidence.

I checked one of the files at VirusTotal and it didn't show up anything - results are here:

https://www.virustotal.com/file/8a765533d0cb91f3a09c10a5456fba8a09be74f691f2538827c6dad62affa606/analysis/1336472618/

ESET was clear too.

I've also attached a couple of the files. They wouldn't attach as .FOT files so I renamed them to .txt.

Attached Files



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:24 PM

Posted 08 May 2012 - 04:59 PM

well, those files do appear harmless enough, I'm just not certain why they are being created or what is creating them.

It appears that you have dodged a bullet with the ramnit infection and the infected files have been dealt with.

Although I cannot guarantee your machine is clean, I would keep a close watch on it.

Please run the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 27 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


How is the computer running now? Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Kenickie

Kenickie
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 09 May 2012 - 04:52 PM

All updated, and everything appears to be running normally. But I will keep my eye out for anything unusual happening.

Thanks so much for all your help... I was well out of my depth! :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users