Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Recurring TR\Dropper.Gen

Started by mjhermano , Aug 23 2011 12:36 AM

This topic is locked

#16 $Recurring TR\Dropper.Gen: post #16$
mjhermano

Posted 24 August 2011 - 05:17 PM

Member

Topic Starter
Member
14 posts

It figures that something that escaped me would do this much damage

. But I'd rather avoid having to redo my entire system. I use it for business, but there really is no personal information, mine or others involved.

Combofix log:
ComboFix 11-08-24.04 - MJ 08/25/2011 6:55.16.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1695 [GMT 8:00]
Running from: c:\documents and settings\MJ\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MJ\Desktop\cfscript4.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
FILE ::
"C:\bootQD.exe"
"c:\documents and settings\on1.exe"
"c:\documents and settings\onSetup.exe"
"c:\windows\system32\bootQD.exe"
"c:\windows\system32\hex1.exe"
"c:\windows\system32\on1.exe"
"c:\windows\system32\onSetup.exe"
"c:\windows\system32\winghost.exe"
"C:\xpQD.exe"
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\bootQD.exe
c:\documents and settings\onSetup.exe
c:\windows\system32\hex123.exe
c:\windows\system32\onSetup.exe
c:\windows\system32\winghost.exe
c:\windows\system32\WS.exe
c:\windows\system32\xp1433.exe
c:\windows\system32\xpQD.exe
c:\windows\winsys.exe
C:\xpQD.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
.
.
2011-08-24 22:32 . 2011-08-24 22:32 499712 ----a-w- c:\documents and settings\onwinsys.exe
2011-08-24 22:32 . 2011-08-24 22:32 499712 ----a-w- c:\windows\system32\onwinsys.exe
2011-08-24 22:09 . 2011-08-24 22:10 -------- d-----w- c:\windows\system32\i1067
2011-08-24 22:05 . 2011-08-24 22:05 0 ----a-w- c:\documents and settings\hex123.exe
2011-08-24 22:05 . 2011-08-24 22:05 561152 ----a-w- c:\documents and settings\on123.exe
2011-08-24 21:41 . 2011-08-24 21:41 236032 ----a-w- C:\hex1433.exe
2011-08-24 21:40 . 2011-08-24 21:40 66 ----a-w- C:\xp1433.exe
2011-08-23 20:26 . 2011-08-23 20:26 119446862 ----a-w- C:\registrybackup.reg
2011-08-23 12:23 . 2011-08-23 12:23 -------- d-----w- c:\program files\Common Files\Java
2011-08-23 12:22 . 2011-08-23 12:22 -------- d-----w- c:\program files\Java
2011-08-23 11:38 . 2011-08-23 11:38 -------- d-----w- c:\documents and settings\MJ\Application Data\SUPERAntiSpyware.com
2011-08-23 11:37 . 2011-08-23 11:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-23 11:37 . 2011-08-23 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-23 08:36 . 2011-08-23 08:36 -------- d-----w- C:\_OTL
2011-08-23 03:13 . 2011-08-23 03:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2011-08-22 19:45 . 2011-08-22 19:45 -------- d-----w- c:\documents and settings\MJ\DoctorWeb
2011-08-22 18:53 . 2011-08-22 18:53 -------- d-----w- C:\VundoFix Backups
2011-08-22 18:07 . 2011-08-22 18:07 -------- d-----w- c:\documents and settings\MJ\Application Data\Malwarebytes
2011-08-22 18:07 . 2011-07-06 11:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-22 18:07 . 2011-08-22 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-22 18:06 . 2011-08-22 18:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-22 18:06 . 2011-07-06 11:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 12:50 . 2011-08-22 14:06 -------- d-----w- C:\Clipart
2011-08-22 12:50 . 2003-08-01 05:00 13359 ----a-w- c:\windows\system32\drivers\SYDEXFDD.SYS
2011-08-22 12:50 . 2001-01-19 07:21 28416 ----a-w- c:\windows\system32\drivers\WNTPPORT.SYS
2011-08-22 12:50 . 2000-05-03 09:26 244232 ----a-w- c:\windows\system32\MSFLXGRD.OCX
2011-08-22 12:50 . 1999-05-06 16:00 140288 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-08-22 12:50 . 1998-10-29 08:58 20644 ----a-w- c:\windows\system32\EMTRANS.VXD
2011-08-22 12:50 . 1997-01-21 10:16 133392 ----a-w- c:\windows\system32\MSMAPI32.OCX
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-23 12:22 . 2010-05-24 13:31 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2011-08-22 12:26 . 2010-05-13 09:24 81920 ----a-w- c:\windows\DUMP4dd1.tmp
2011-08-22 12:17 . 2010-05-13 09:24 81920 ----a-w- c:\windows\DUMP46bd.tmp
2011-07-05 16:36 . 2011-07-05 16:36 9216 ----a-r- c:\documents and settings\MJ\Application Data\Microsoft\Installer\{7426428E-71D4-452C-BA13-B14E5EB52859}\Icon7426428E16.exe
2011-08-18 06:01 . 2011-03-23 22:20 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-22_22.02.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-08-22 20:38 . 2011-08-22 20:38 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
+ 2011-08-24 23:06 . 2011-08-24 23:06 16384 c:\windows\temp\Perflib_Perfdata_684.dat
+ 2011-08-24 23:06 . 2011-08-24 23:06 16384 c:\windows\temp\Perflib_Perfdata_630.dat
+ 2010-05-13 16:43 . 2011-08-23 13:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-13 16:43 . 2011-08-22 16:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-13 16:43 . 2011-08-23 13:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-05-13 16:43 . 2011-08-22 16:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-12-21 14:11 . 2010-12-21 14:11 157472 c:\windows\system32\javaws.exe
+ 2011-08-23 12:22 . 2011-08-23 12:22 157472 c:\windows\system32\javaws.exe
+ 2011-08-23 12:22 . 2011-08-23 12:22 145184 c:\windows\system32\javaw.exe
- 2010-12-21 14:11 . 2010-12-21 14:11 145184 c:\windows\system32\javaw.exe
+ 2011-08-23 12:22 . 2011-08-23 12:22 145184 c:\windows\system32\java.exe
- 2010-12-21 14:11 . 2010-12-21 14:11 145184 c:\windows\system32\java.exe
+ 2011-08-23 12:23 . 2011-08-23 12:23 203776 c:\windows\Installer\749179.msi
+ 2011-08-23 12:22 . 2011-08-23 12:22 902656 c:\windows\Installer\749171.msi
+ 2004-08-03 22:56 . 2004-08-03 22:56 1032192 c:\windows\system32\sethc.exe
+ 2004-08-03 22:56 . 2004-08-03 22:56 1032192 c:\windows\system32\dllcache\sethc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-05-27 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-25 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-25 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-25 136192]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"FixCamera"="c:\windows\FixCamera.exe" [2008-08-21 188928]
"tsnp2uvc"="c:\windows\tsnp2uvc.exe" [2009-12-11 320512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-09 2552648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-20 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
.
c:\documents and settings\MJ\Start Menu\Programs\Startup\
PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2011-6-9 477736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-18 74308]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CAPCOM\\STREETFIGHTERIV\\StreetFighterIV.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"k:\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"k:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"k:\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"k:\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"k:\\Dragon Age\\bin_ship\\daorigins.exe"=
"k:\\Dragon Age\\DAOriginsLauncher.exe"=
"k:\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R0 AladdinUsbFilter;AladdinUsbFilterService;c:\windows\system32\drivers\AladdinUsbFilter.sys [5/13/2010 8:12 AM 484352]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [5/2/2011 8:36 PM 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [5/2/2011 8:36 PM 29400]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/23/2011 12:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/13/2011 5:55 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/12/2011 7:38 AM 116608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/12/2011 5:28 AM 136360]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2/19/2010 5:00 PM 148744]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [12/16/2009 10:09 AM 188736]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [12/16/2009 10:11 AM 65856]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [7/24/2011 5:58 PM 2214504]
R2 wntpport;wntpport;c:\windows\system32\drivers\WNTPPORT.SYS [8/22/2011 8:50 PM 28416]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [5/13/2010 10:02 AM 119528]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [6/9/2011 6:40 PM 13312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/13/2010 9:56 AM 1684736]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [8/2/2010 4:19 PM 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [8/2/2010 4:19 PM 20864]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [8/2/2010 4:19 PM 19968]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [8/2/2010 4:19 PM 24960]
S3 AndNetDiag;LG AndroidNet USB Serial Port;c:\windows\system32\drivers\lgandnetdiag.sys [8/2/2010 4:19 PM 23040]
S3 AndNetGps;LG AndroidNet USB GPS NMEA Port;c:\windows\system32\drivers\lgandnetgps.sys [8/2/2010 4:19 PM 22272]
S3 ANDNetModem;LG AndroidNet USB Modem;c:\windows\system32\drivers\lgandnetmodem.sys [8/2/2010 4:19 PM 27776]
S3 andnetndis;LG AndroidNet NDIS Ethernet Adapter;c:\windows\system32\drivers\lgandnetndis.sys [8/2/2010 4:19 PM 66816]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [6/9/2011 6:35 PM 31312]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;k:\dragon age\bin_ship\daupdatersvc.service.exe [12/16/2009 4:07 AM 25832]
S3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [9/29/2009 8:11 AM 12160]
S3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\DRIVERS\lgbtbus.sys --> c:\windows\system32\DRIVERS\lgbtbus.sys [?]
S3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\DRIVERS\lgvmodem.sys --> c:\windows\system32\DRIVERS\lgvmodem.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/23/2011 2:07 AM 41272]
S3 SydexFDD;Sydex Diskette Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [8/22/2011 8:50 PM 13359]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
imgsvc REG_MULTI_SZ StiSvc Please Input Service Name Nxixnv Orirebul Umb
xcvs REG_MULTI_SZ xcvs
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-448539723-725345543-1003Core.job
- c:\documents and settings\MJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-01 20:53]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-448539723-725345543-1003UA.job
- c:\documents and settings\MJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-01 20:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=15161&l=dis
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: LG Air Sync (R-Click) - Save as Mobile Image - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/206
IE: LG Air Sync (R-Click) - Save as Mobile Memo - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/208
IE: LG Air Sync (R-Click) - Save as Mobile Text file - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/210
IE: LG Air Sync (R-Click) - Set as Mobile Wallpaper - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/205
IE: LG Air Sync Option - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/209
TCP: DhcpNameServer = 202.8.224.36 202.8.224.39
TCP: Interfaces\{56E4BDAE-AFFC-4749-8E1C-5F2C133402B6}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{7D033C36-3894-4E86-818D-2D141154C4BF}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8BE85404-7DE2-4429-A5FE-C0B39B413BB3}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\MJ\Application Data\Mozilla\Firefox\Profiles\9j7isrn4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-25 07:06
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'lsass.exe'(1104)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3460)
c:\windows\system32\guard32.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDLL32.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
**************************************************************************
.
Completion time: 2011-08-25 07:12:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-24 23:12
ComboFix2.txt 2011-08-24 21:22
ComboFix3.txt 2011-08-24 19:09
ComboFix4.txt 2011-08-24 18:42
ComboFix5.txt 2011-08-24 22:52
.
Pre-Run: 4,624,850,944 bytes free
Post-Run: 4,527,546,368 bytes free
.
- - End Of File - - A32322F3ABBC73D3D458E3B6986B6870

#17 $Recurring TR\Dropper.Gen: post #17$
SweetTech

Posted 24 August 2011 - 05:28 PM

Sir SpamAlot

Retired Staff
7,671 posts

HI!

It figures that something that escaped me would do this much damage . But I'd rather avoid having to redo my entire system. I use it for business, but there really is no personal information, mine or others involved.

Yeah, I can understand where you are coming from, but this infection seems to be re-occurring, so the only real viable option to get rid of this infection is probably going to be a full reformat and re-install.

Run this tool:

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
- Enable Anti-Stealth technology
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

#18 $Recurring TR\Dropper.Gen: post #18$
mjhermano

Posted 25 August 2011 - 03:02 AM

Member

Topic Starter
Member
14 posts

After the first scan took me 6 hours just to crash, I readied myself for a reformat. The second scan was much faster, though. Only one file seems to be something we haven't got touched before, and it's been on my startup for months, so I'm not sure if that's the culprit.

At least if it ends up being impossible to salvage, I hope to know where the backdoor came from and how I can avoid it in the future. The application it seems to be exploiting is SQL server, and I use that for business with no way to update, so I'd like to know how I got infected and/or how to avoid it.

Anyway, LOG
C:\bootQD.exe Win32/Agent.SBX trojan
C:\Documents and Settings\onwinsys.exe a variant of Win32/Farfli.FX trojan
C:\Documents and Settings\MJ\My Documents\Downloads\mp4tovideo_install.exe Win32/Adware.MarketScore.A application
C:\LG Backup\SuperOneClick2\rageagainstthecage Android/Exploit.RageCage.A trojan
C:\Program Files\myawug.exe a variant of Win32/ServStart.AD trojan
C:\Program Files\Internet Explorer\360liveupdate.dll a variant of Win32/Farfli.CH trojan
C:\Qoobox\Quarantine\C\bootQD.exe.vir Win32/Agent.SBX trojan
C:\Qoobox\Quarantine\C\dboycao.exe.vir Win32/Parite.A virus
C:\Qoobox\Quarantine\C\Documents and Settings\on33.exe.vir a variant of Win32/Farfli.FX trojan
C:\Qoobox\Quarantine\C\Documents and Settings\onSetup.exe.vir probably a variant of Win32/Redosdru.HI trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\smss.exe.vir a variant of Win32/Agent.OMY trojan
C:\Qoobox\Quarantine\C\Program Files\Bmje\Nggojewow.pic.vir probably a variant of Win32/Farfli.FC trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\hex360.exe.vir a variant of Win32/PcClient.NGZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\on33.exe.vir a variant of Win32/Farfli.FX trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\onSetup.exe.vir probably a variant of Win32/Redosdru.HI trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\SMS.EXE.vir a variant of Win32/ServStart.AD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1049\D001.exe.vir a variant of Win32/Agent.OSH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1049\F001.exe.vir Win32/ServStart.AA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1049\G001.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1049\I001.exe.vir a variant of Win32/ServStart.AD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1049\JATE.exe.vir a variant of Win32/ServStart.AD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1049\JBSB.exe.vir Win32/ServStart.AL trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1734\D001.exe.vir a variant of Win32/Agent.OSH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1734\F001.exe.vir Win32/ServStart.AA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1734\G001.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1734\H002.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1734\JATE.exe.vir a variant of Win32/ServStart.AD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1734\JBSB.exe.vir Win32/ServStart.AL trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1952\D001.exe.vir a variant of Win32/Agent.OSH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1952\F001.exe.vir Win32/ServStart.AA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1952\G001.exe.vir a variant of Win32/Farfli.AY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1952\H002.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1952\JATE.exe.vir a variant of Win32/ServStart.AD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i1952\JBSB.exe.vir Win32/ServStart.AL trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i3100\D001.exe.vir a variant of Win32/Agent.OSH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i3100\F001.exe.vir Win32/ServStart.AA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i3100\G001.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i3100\I001.exe.vir a variant of Win32/ServStart.AD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i3100\JATE.exe.vir a variant of Win32/Agent.OMY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i3100\JBSB.exe.vir Win32/ServStart.AL trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i4478\G001.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i5335\D001.exe.vir a variant of Win32/Agent.OSH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i5335\F001.exe.vir Win32/ServStart.AA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i5335\G001.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i5335\H001.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i5335\JATE.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i5335\JBSB.exe.vir a variant of Win32/Farfli.AY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i6044\D001.exe.vir a variant of Win32/Agent.OSH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i6044\F001.exe.vir Win32/ServStart.AA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i6044\G001.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i6044\H002.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i6044\JATE.exe.vir a variant of Win32/ServStart.AD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i6044\JBSB.exe.vir Win32/ServStart.AL trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i6477\G001.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i7329\E001.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i7329\JATE.exe.vir a variant of Win32/Agent.OMY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i7813\G001.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i8267\E001.exe.vir a variant of Win32/Kryptik.LRP trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i8267\G001.exe.vir a variant of Win32/PcClient.NGZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\i8267\JATE.exe.vir a variant of Win32/Agent.OMY trojan
C:\RECYCLER\onf1.dat BAT/TrojanDownloader.Ftp.NLM trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP514\A0082166.exe a variant of Win32/Farfli.EK trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP514\A0082167.exe a variant of Win32/Farfli.EK trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0083696.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0083698.exe a variant of Win32/Farfli.AY trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0083699.exe Win32/ServStart.AA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0083700.exe a variant of Win32/Agent.OSH trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0083909.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0083910.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084007.exe a variant of Win32/Farfli.GA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084008.exe a variant of Win32/Farfli.GA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084009.exe a variant of Win32/Farfli.GA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084023.exe a variant of Win32/Farfli.FX trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084090.exe a variant of Win32/Farfli.FX trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084131.exe a variant of Win32/Delf.PTA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084132.exe a variant of Win32/Delf.PTA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084137.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084160.exe a variant of Win32/Farfli.FX trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084245.exe a variant of Win32/Farfli.GA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084246.exe a variant of Win32/Farfli.GA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084247.exe a variant of Win32/Farfli.GA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084249.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084250.exe Win32/ServStart.AA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084251.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084254.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084255.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084256.dll a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084257.dll a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084258.dll a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP523\A0084259.dll a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP526\A0086257.exe Win32/Redosdru.GL trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP527\A0086329.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP527\A0088316.exe Win32/Redosdru.GL trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088638.exe a variant of Win32/Agent.OSH trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088639.exe Win32/ServStart.AA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088640.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088642.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088643.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088644.exe Win32/ServStart.AL trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088645.exe a variant of Win32/Agent.OSH trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088646.exe Win32/ServStart.AA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088647.exe a variant of Win32/Farfli.AY trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088648.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088649.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088650.exe Win32/ServStart.AL trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088653.exe a variant of Win32/Agent.OSH trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088654.exe Win32/ServStart.AA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088655.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088656.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088658.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088659.exe a variant of Win32/Farfli.AY trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088661.exe a variant of Win32/Agent.OSH trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088662.exe Win32/ServStart.AA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088663.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088665.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088666.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088667.exe Win32/ServStart.AL trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088766.bat BAT/TrojanDownloader.Ftp.NHN trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088770.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088771.exe a variant of Win32/Agent.ORM trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088774.exe Win32/ServStart.AA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088777.exe Win32/ServStart.AA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088781.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088828.exe Win32/ServStart.AA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088829.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP528\A0088839.exe Win32/ServStart.AL trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089116.exe Win32/Parite.A virus
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089118.exe a variant of Win32/Farfli.FX trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089122.exe a variant of Win32/PcClient.NGZ trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089124.exe a variant of Win32/Agent.OSH trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089125.exe Win32/ServStart.AA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089126.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089129.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089130.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089131.exe Win32/ServStart.AL trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089133.exe a variant of Win32/Agent.OSH trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089134.exe Win32/ServStart.AA trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089135.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089138.exe a variant of Win32/ServStart.AD trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089139.exe a variant of Win32/Agent.OMY trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089140.exe Win32/ServStart.AL trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089142.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089143.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089144.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089145.exe a variant of Win32/Agent.OMY trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089146.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089147.exe a variant of Win32/Kryptik.LRP trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089148.exe a variant of Win32/PcClient.NGZ trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089149.exe a variant of Win32/Agent.OMY trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP529\A0089152.exe a variant of Win32/Farfli.FX trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP530\A0089544.exe Win32/Parite.B virus
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP530\A0089562.exe Win32/Agent.SBX trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP530\A0089565.exe probably a variant of Win32/Redosdru.HI trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP530\A0089598.exe Win32/Agent.SBX trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP530\A0089599.exe Win32/Agent.SBX trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP530\A0089668.exe Win32/Agent.SBX trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP530\A0089792.exe Win32/Agent.SBX trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP530\A0089793.exe probably a variant of Win32/Redosdru.HI trojan
C:\System Volume Information\_restore{1002D104-A30B-4325-97EA-169491DFB10C}\RP530\A0089795.exe probably a variant of Win32/Redosdru.HI trojan
C:\WINDOWS\FixCamera.exe a variant of Win32/KillProc.B application
C:\WINDOWS\system32\bootQD.exe Win32/Agent.SBX trojan
C:\WINDOWS\system32\onwinsys.exe a variant of Win32/Farfli.FX trojan
C:\WINDOWS\system32\Wib8001.exe a variant of Win32/Kryptik.LRP trojan
C:\WINDOWS\system32\i9049\D001.exe a variant of Win32/Agent.OSH trojan
C:\WINDOWS\system32\i9049\E001.exe a variant of Win32/Kryptik.LRP trojan
C:\WINDOWS\system32\i9049\F001.exe Win32/ServStart.AA trojan
C:\WINDOWS\system32\i9049\G001.exe a variant of Win32/Kryptik.LRP trojan
C:\WINDOWS\system32\i9049\JBSB.exe Win32/ServStart.AL trojan
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\AAxxvvtt.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\AAyyvvtt.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\bddffiik.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\ECCAAxxv.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\eeggjjll.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\IILLNNPP.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\JJMMOOQQ.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\KNPRUWYb.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\MPPRRTTW.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\NKKIIGGD.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\OOMMKKII.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\ppssuuww.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\QSSVVXXZ.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\qsvxzCEG.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\roommkki.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\ruuwwyyB.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\shift.exe a variant of Win32/Farfli.EN trojan
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\tcpwamllib.exe a variant of MSIL/Packed.CodeVeil.A application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\UXZbegil.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_042955\C_WINDOWS\system32\VTTRROOM.exe probably a variant of Win32/Statik application
C:\_OTL\MovedFiles\08242011_144904\C_\1140500.dll Win32/Farfli.DP trojan
C:\_OTL\MovedFiles\08242011_144904\C_\14800.dll Win32/Farfli.DP trojan
C:\_OTL\MovedFiles\08242011_144904\C_\1887700.dll Win32/Farfli.DP trojan
C:\_OTL\MovedFiles\08242011_144904\C_\2974500.dll Win32/Farfli.DP trojan
C:\_OTL\MovedFiles\08242011_144904\C_\360.vbs VBS/TrojanDownloader.Small.L trojan
C:\_OTL\MovedFiles\08242011_144904\C_\76200.dll Win32/Farfli.DP trojan
C:\_OTL\MovedFiles\08242011_144904\C_\875000.dll Win32/Farfli.DP trojan
C:\_OTL\MovedFiles\08242011_144904\C_Program Files\tomcat.jpg Win32/Farfli.DP trojan
C:\_OTL\MovedFiles\08252011_004344\C_Documents and Settings\All Users\Start Menu\Programs\Startup\smss.exe a variant of Win32/Agent.OMY trojan
C:\_OTL\MovedFiles\08252011_004344\C_WINDOWS\smss.exe a variant of Win32/Agent.OMY trojan
C:\_OTL\MovedFiles\08252011_004344\C_WINDOWS\system32\Wib8001.exe a variant of Win32/Kryptik.LRP trojan
C:\_OTL\MovedFiles\08252011_021333\C_WINDOWS\system32\on2.exe Win32/Parite.B virus
Operating memory a variant of Win32/KillProc.B application

#19 $Recurring TR\Dropper.Gen: post #19$
SweetTech

Posted 25 August 2011 - 02:32 PM

Sir SpamAlot

Retired Staff
7,671 posts

Hi!

At least if it ends up being impossible to salvage, I hope to know where the backdoor came from and how I can avoid it in the future. The application it seems to be exploiting is SQL server, and I use that for business with no way to update, so I'd like to know how I got infected and/or how to avoid it.

Regardless of the outcome, I will provide my recommendations on how to avoid becoming infected again, and how to stay malware free.

ComboFix Script

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
File::
C:\bootQD.exe
C:\Documents and Settings\onwinsys.exe
C:\Documents and Settings\MJ\My Documents\Downloads\mp4tovideo_install.exe
C:\LG Backup\SuperOneClick2\rageagainstthecage
C:\Program Files\myawug.exe
C:\Program Files\Internet Explorer\360liveupdate.dll
C:\RECYCLER\onf1.dat
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\system32\bootQD.exe
C:\WINDOWS\system32\onwinsys.exe
C:\WINDOWS\system32\Wib8001.exe
C:\WINDOWS\system32\i9049\D001.exe
C:\WINDOWS\system32\i9049\E001.exe
C:\WINDOWS\system32\i9049\F001.exe
C:\WINDOWS\system32\i9049\G001.exe
C:\WINDOWS\system32\i9049\JBSB.exe

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

#20 $Recurring TR\Dropper.Gen: post #20$
mjhermano

Posted 25 August 2011 - 03:24 PM

Member

Topic Starter
Member
14 posts

At any rate, I appreciate you taking the time. I had a problem running Combofix this time around, it's telling me Avira was on when I was in Safe Mode and when I checked Avira, it was disabled. I ran it anyway.

Here's the new log:

ComboFix 11-08-24.04 - MJ 08/26/2011 5:02.17.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1691 [GMT 8:00]
Running from: c:\documents and settings\MJ\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MJ\Desktop\cfscript.txt
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
FILE ::
"C:\bootQD.exe"
"c:\documents and settings\MJ\My Documents\Downloads\mp4tovideo_install.exe"
"c:\documents and settings\onwinsys.exe"
"c:\lg backup\SuperOneClick2\rageagainstthecage"
"c:\program files\Internet Explorer\360liveupdate.dll"
"c:\program files\myawug.exe"
"c:\recycler\onf1.dat"
"c:\windows\FixCamera.exe"
"c:\windows\system32\bootQD.exe"
"c:\windows\system32\i9049\D001.exe"
"c:\windows\system32\i9049\E001.exe"
"c:\windows\system32\i9049\F001.exe"
"c:\windows\system32\i9049\G001.exe"
"c:\windows\system32\i9049\JBSB.exe"
"c:\windows\system32\onwinsys.exe"
"c:\windows\system32\Wib8001.exe"
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\bootQD.exe
c:\documents and settings\All Users\Application Data\Storm
c:\documents and settings\All Users\DRM\%SESSIONNAME%
c:\documents and settings\MJ\My Documents\Downloads\mp4tovideo_install.exe
c:\documents and settings\onwinsys.exe
c:\lg backup\SuperOneClick2\rageagainstthecage
c:\program files\Internet Explorer\360liveupdate.dll
c:\windows\FixCamera.exe
c:\windows\system32\360.exe
c:\windows\system32\bootQD.exe
c:\windows\system32\c.exe
c:\windows\system32\cs.exe
c:\windows\system32\hex1.exe
c:\windows\system32\hex123.exe
c:\windows\system32\hexQD.exe
c:\windows\system32\hexqianhua.exe
c:\windows\system32\hexwinsys.exe
c:\windows\system32\i9049\D001.exe
c:\windows\system32\i9049\E001.exe
c:\windows\system32\i9049\F001.exe
c:\windows\system32\i9049\G001.exe
c:\windows\system32\i9049\JBSB.exe
c:\windows\system32\mss.exe
c:\windows\system32\onwinsys.exe
c:\windows\system32\p.exe
c:\windows\system32\tao.exe
c:\windows\system32\tcpwamllib.exe
c:\windows\system32\Wib8001.exe
c:\windows\system32\WS.exe
c:\windows\system32\xp1433.exe
c:\windows\system32\xpip.exe
c:\windows\system32\xpQD.exe
c:\windows\winsys.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_WINHELP32
-------\Service_WinHelp32
-------\Legacy_WinHeb8001
-------\Service_WinHeb8001
.
.
((((((((((((((((((((((((( Files Created from 2011-07-25 to 2011-08-25 )))))))))))))))))))))))))))))))
.
.
2011-08-25 11:58 . 2011-08-25 11:58 61 ----a-w- C:\xpip.exe
2011-08-25 10:12 . 2011-08-25 10:56 32 ----a-w- c:\windows\system32\gouri.bat
2011-08-25 10:06 . 2011-08-25 10:07 208896 ----a-w- c:\windows\system32\on1433.exe
2011-08-25 10:06 . 2011-08-25 10:07 208896 ----a-w- c:\documents and settings\on1433.exe
2011-08-25 08:34 . 2011-08-25 08:35 360683 ----a-w- c:\documents and settings\onserver.exe
2011-08-25 08:34 . 2011-08-25 08:35 360683 ----a-w- c:\windows\system32\onserver.exe
2011-08-25 01:46 . 2011-08-25 02:05 0 ----a-w- c:\documents and settings\hexqianhua.exe
2011-08-25 00:21 . 2011-08-25 00:21 0 ----a-w- c:\documents and settings\hexwinsys.exe
2011-08-25 00:07 . 2011-08-25 20:42 -------- d-----w- c:\program files\7rar
2011-08-25 00:06 . 2011-08-25 21:12 -------- d-----w- c:\windows\system32\i9049
2011-08-25 00:06 . 2011-08-25 00:06 30 ----a-w- c:\windows\system32\DUMP.COM
2011-08-25 00:06 . 2011-08-25 00:06 54 ----a-w- c:\windows\system32\DUMP.TMP
2011-08-25 00:05 . 2011-08-25 00:05 -------- d-----w- C:\hotfix
2011-08-25 00:01 . 2011-08-25 08:58 32256 ----a-w- c:\windows\system32\winghost.exe
2011-08-24 23:44 . 2011-08-24 23:44 -------- d-----w- c:\program files\ESET
2011-08-24 23:18 . 2011-08-24 23:18 63 ----a-w- C:\hexQD.exe
2011-08-24 23:18 . 2011-08-24 23:18 69 ----a-w- C:\xpQD.exe
2011-08-24 22:09 . 2011-08-24 22:10 -------- d-----w- c:\windows\system32\i1067
2011-08-24 22:05 . 2011-08-25 12:00 0 ----a-w- c:\documents and settings\hex123.exe
2011-08-24 22:05 . 2011-08-25 08:59 561152 ----a-w- c:\documents and settings\on123.exe
2011-08-24 21:41 . 2011-08-24 21:41 236032 ----a-w- C:\hex1433.exe
2011-08-24 21:40 . 2011-08-25 02:04 66 ----a-w- C:\xp1433.exe
2011-08-23 20:26 . 2011-08-23 20:26 119446862 ----a-w- C:\registrybackup.reg
2011-08-23 12:23 . 2011-08-23 12:23 -------- d-----w- c:\program files\Common Files\Java
2011-08-23 12:22 . 2011-08-23 12:22 -------- d-----w- c:\program files\Java
2011-08-23 11:38 . 2011-08-23 11:38 -------- d-----w- c:\documents and settings\MJ\Application Data\SUPERAntiSpyware.com
2011-08-23 11:37 . 2011-08-23 11:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-23 11:37 . 2011-08-23 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-23 08:36 . 2011-08-23 08:36 -------- d-----w- C:\_OTL
2011-08-23 03:13 . 2011-08-23 03:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2011-08-22 19:45 . 2011-08-22 19:45 -------- d-----w- c:\documents and settings\MJ\DoctorWeb
2011-08-22 18:53 . 2011-08-22 18:53 -------- d-----w- C:\VundoFix Backups
2011-08-22 18:07 . 2011-08-22 18:07 -------- d-----w- c:\documents and settings\MJ\Application Data\Malwarebytes
2011-08-22 18:07 . 2011-07-06 11:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-22 18:07 . 2011-08-22 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-22 18:06 . 2011-08-22 18:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-22 18:06 . 2011-07-06 11:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 12:50 . 2011-08-22 14:06 -------- d-----w- C:\Clipart
2011-08-22 12:50 . 2003-08-01 05:00 13359 ----a-w- c:\windows\system32\drivers\SYDEXFDD.SYS
2011-08-22 12:50 . 2001-01-19 07:21 28416 ----a-w- c:\windows\system32\drivers\WNTPPORT.SYS
2011-08-22 12:50 . 2000-05-03 09:26 244232 ----a-w- c:\windows\system32\MSFLXGRD.OCX
2011-08-22 12:50 . 1999-05-06 16:00 140288 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-08-22 12:50 . 1998-10-29 08:58 20644 ----a-w- c:\windows\system32\EMTRANS.VXD
2011-08-22 12:50 . 1997-01-21 10:16 133392 ----a-w- c:\windows\system32\MSMAPI32.OCX
2011-08-11 21:42 . 2011-08-11 21:42 -------- d-----w- c:\documents and settings\MJ\Application Data\Avira
2011-08-11 21:28 . 2011-07-21 04:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-11 21:28 . 2011-07-21 04:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-11 21:28 . 2010-06-17 07:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-08-11 21:28 . 2010-06-17 07:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-08-11 21:28 . 2011-08-11 21:28 -------- d-----w- c:\program files\Avira
2011-08-11 21:28 . 2011-08-11 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-08-11 21:24 . 2011-08-11 21:24 -------- d-----w- C:\Avira
2011-07-31 04:16 . 2011-07-31 04:57 -------- d-----w- c:\documents and settings\Irving\Local Settings\Application Data\FVD Suite
2011-07-31 04:13 . 2011-08-25 12:01 -------- d--h--w- c:\program files\FVD Suite
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-25 08:34 . 2011-08-25 08:34 22122061 ----a-w- C:\hgxxdyfjou
2011-08-25 08:23 . 2011-08-25 08:23 25132712 ----a-w- C:\odmledgbjg
2011-08-23 12:22 . 2010-05-24 13:31 472808 -c--a-w- c:\windows\system32\deployJava1.dll
2011-08-22 12:26 . 2010-05-13 09:24 81920 ----a-w- c:\windows\DUMP4dd1.tmp
2011-08-22 12:17 . 2010-05-13 09:24 81920 ----a-w- c:\windows\DUMP46bd.tmp
2011-07-05 16:36 . 2011-07-05 16:36 9216 ----a-r- c:\documents and settings\MJ\Application Data\Microsoft\Installer\{7426428E-71D4-452C-BA13-B14E5EB52859}\Icon7426428E16.exe
2011-08-18 06:01 . 2011-03-23 22:20 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-22_22.02.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-25 21:16 . 2011-08-25 21:16 16384 c:\windows\temp\Perflib_Perfdata_710.dat
+ 2011-08-25 21:16 . 2011-08-25 21:16 16384 c:\windows\temp\Perflib_Perfdata_3fc.dat
+ 2011-08-25 00:07 . 2011-08-25 00:07 46592 c:\windows\system32\i9049\JATE.exe
+ 2011-08-25 00:07 . 2011-08-25 00:07 45609 c:\windows\system32\i9049\H002.exe
+ 2011-08-25 00:07 . 2011-08-25 00:07 45609 c:\windows\system32\i9049\H001.exe
- 2010-05-13 16:43 . 2011-08-22 16:29 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-13 16:43 . 2011-08-25 00:07 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-13 16:43 . 2011-08-22 16:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-05-13 16:43 . 2011-08-25 00:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-08-25 00:07 . 2011-08-25 00:07 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-05-13 16:43 . 2011-08-22 16:29 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-08-23 12:22 . 2011-08-23 12:22 157472 c:\windows\system32\javaws.exe
- 2010-12-21 14:11 . 2010-12-21 14:11 157472 c:\windows\system32\javaws.exe
+ 2011-08-23 12:22 . 2011-08-23 12:22 145184 c:\windows\system32\javaw.exe
- 2010-12-21 14:11 . 2010-12-21 14:11 145184 c:\windows\system32\javaw.exe
- 2010-12-21 14:11 . 2010-12-21 14:11 145184 c:\windows\system32\java.exe
+ 2011-08-23 12:22 . 2011-08-23 12:22 145184 c:\windows\system32\java.exe
+ 2011-08-25 00:06 . 2011-08-25 00:06 172032 c:\windows\system32\i9049\A22.exe
+ 2011-08-23 12:23 . 2011-08-23 12:23 203776 c:\windows\Installer\749179.msi
+ 2011-08-23 12:22 . 2011-08-23 12:22 902656 c:\windows\Installer\749171.msi
+ 2004-08-03 22:56 . 2004-08-03 22:56 1032192 c:\windows\system32\sethc.exe
+ 2004-08-03 22:56 . 2004-08-03 22:56 1032192 c:\windows\system32\dllcache\sethc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-05-27 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-25 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-25 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-25 136192]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"tsnp2uvc"="c:\windows\tsnp2uvc.exe" [2009-12-11 320512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-09 2552648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 1632360]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-20 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
.
c:\documents and settings\MJ\Start Menu\Programs\Startup\
PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2011-6-9 477736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-18 74308]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CAPCOM\\STREETFIGHTERIV\\StreetFighterIV.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"k:\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"k:\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"k:\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"k:\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"k:\\Dragon Age\\bin_ship\\daorigins.exe"=
"k:\\Dragon Age\\DAOriginsLauncher.exe"=
"k:\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
.
R0 AladdinUsbFilter;AladdinUsbFilterService;c:\windows\system32\drivers\AladdinUsbFilter.sys [5/13/2010 8:12 AM 484352]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [5/2/2011 8:36 PM 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [5/2/2011 8:36 PM 29400]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/23/2011 12:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/13/2011 5:55 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/12/2011 7:38 AM 116608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/12/2011 5:28 AM 136360]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2/19/2010 5:00 PM 148744]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [12/16/2009 10:09 AM 188736]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [12/16/2009 10:11 AM 65856]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [7/24/2011 5:58 PM 2214504]
R2 wntpport;wntpport;c:\windows\system32\drivers\WNTPPORT.SYS [8/22/2011 8:50 PM 28416]
R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [8/2/2010 4:19 PM 14336]
R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [8/2/2010 4:19 PM 20864]
R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [8/2/2010 4:19 PM 19968]
R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [8/2/2010 4:19 PM 24960]
R3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [6/9/2011 6:35 PM 31312]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [5/13/2010 10:02 AM 119528]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [6/9/2011 6:40 PM 13312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 MSUpdqtecko;Microsoft Windows Uqdateewi Service;c:\program files\myawug.exe --> c:\program files\myawug.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/13/2010 9:56 AM 1684736]
S3 AndNetDiag;LG AndroidNet USB Serial Port;c:\windows\system32\drivers\lgandnetdiag.sys [8/2/2010 4:19 PM 23040]
S3 AndNetGps;LG AndroidNet USB GPS NMEA Port;c:\windows\system32\drivers\lgandnetgps.sys [8/2/2010 4:19 PM 22272]
S3 ANDNetModem;LG AndroidNet USB Modem;c:\windows\system32\drivers\lgandnetmodem.sys [8/2/2010 4:19 PM 27776]
S3 andnetndis;LG AndroidNet NDIS Ethernet Adapter;c:\windows\system32\drivers\lgandnetndis.sys [8/2/2010 4:19 PM 66816]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;k:\dragon age\bin_ship\daupdatersvc.service.exe [12/16/2009 4:07 AM 25832]
S3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [9/29/2009 8:11 AM 12160]
S3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\DRIVERS\lgbtbus.sys --> c:\windows\system32\DRIVERS\lgbtbus.sys [?]
S3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\DRIVERS\lgvmodem.sys --> c:\windows\system32\DRIVERS\lgvmodem.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/23/2011 2:07 AM 41272]
S3 SydexFDD;Sydex Diskette Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [8/22/2011 8:50 PM 13359]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
imgsvc REG_MULTI_SZ StiSvc Please Input Service Name Nxixnv Orirebul Umb
xcvs REG_MULTI_SZ xcvs
¸ß¼¶°æ REG_MULTI_SZ ¸ß¼¶°æ
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-448539723-725345543-1003Core.job
- c:\documents and settings\MJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-01 20:53]
.
2011-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-448539723-725345543-1003UA.job
- c:\documents and settings\MJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-01 20:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=15161&l=dis
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: LG Air Sync (R-Click) - Save as Mobile Image - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/206
IE: LG Air Sync (R-Click) - Save as Mobile Memo - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/208
IE: LG Air Sync (R-Click) - Save as Mobile Text file - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/210
IE: LG Air Sync (R-Click) - Set as Mobile Wallpaper - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/205
IE: LG Air Sync Option - c:\program files\LG Electronics\LG PC Suite IV\LinkAir\IEContextMenu.dll/209
TCP: DhcpNameServer = 202.8.224.36 202.8.224.39
TCP: Interfaces\{56E4BDAE-AFFC-4749-8E1C-5F2C133402B6}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{7D033C36-3894-4E86-818D-2D141154C4BF}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\MJ\Application Data\Mozilla\Firefox\Profiles\9j7isrn4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-FixCamera - c:\windows\FixCamera.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-26 05:16
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'lsass.exe'(1104)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(2516)
c:\windows\system32\guard32.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDLL32.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
**************************************************************************
.
Completion time: 2011-08-26 05:21:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-25 21:21
ComboFix2.txt 2011-08-24 23:12
ComboFix3.txt 2011-08-24 21:22
ComboFix4.txt 2011-08-24 19:09
ComboFix5.txt 2011-08-25 21:01
.
Pre-Run: 10,660,683,776 bytes free
Post-Run: 10,657,255,424 bytes free
.
- - End Of File - - 0E89DCCAFAEA5242F905E692D297511E

#21 $Recurring TR\Dropper.Gen: post #21$
SweetTech

Posted 25 August 2011 - 03:50 PM

Sir SpamAlot

Retired Staff
7,671 posts

Hi!

I'm afraid I don't have good news for you. You appear to be infected with a nasty infection, which appears to be re-spawning. I can not in good conscience continue to assist cleaning this machine up, when I know that there is no way whatsoever that I'd ever trust doing anything on this machine again especially with this being a business computer.

I would ensure that you change all of your passwords from a known clean computer.

Please read this information below:

Reformatting a hard disk deletes all data. You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (.exe), screensavers (.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If you're not sure how to reformat or need help with reformatting, please review:

These links include step-by-step instructions with screenshots:

Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.
Also see How to keep your Windows XP activation after clean install.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows pre-installed. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media.

I truly wish that the end result could have been better, but the only viable option that I can see is for you to perform a full re-format and re-install.

I'll provide my usual tips for staying clean below:

All Clean Speech

Below I have included a number of recommendations for how to protect your computer against malware infections.

Updated Anti-Virus Program
It's essential that you have an updated anti-virus program running on your computer. You don't want to run more than one as it can cause program conflicts, as well as false positives

You can view an excellent list of Free Security Software programs that has been compiled by GeekstoGo.

Avoid P2P Programs

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

If you have any of these programs installed then I highly suggest you uninstall them.

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Internet Browsers

Many of the users that I assist here on the forums, ask me which programs they can use to prevent themselves from getting infected again in the future. The best answer I can give you is too practice safe browsing.

Please consider using an alternative browser such as Google Chrome or Opera. They are both much more secure than Internet Explorer, immune to almost all known browser hijackers, and also have great built-in pop-up blockers.

I also suggest you make your Internet Explore more secure.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

Extra Goodies

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them then consider a password keeper, to keep all your passwords safe.
Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
You should run an updated scan with MalwareBytes' Anti-Malware weekly. Instructions are included below:
- Open Malwarebytes' Anti-Malware
- Select the Update tab
- Click Check for Updates
Be weary of e-mails from unknown senders. Keep the following in mind as well: If it's to good to be true, then it more than likely is.
FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
- Green to go
- Yellow for caution
- Red to stop
WOT has an addon available for Chrome and Opera.
Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
Think Prevention.
PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Cheers,
SweetTech.

#22 $Recurring TR\Dropper.Gen: post #22$
mjhermano

Posted 25 August 2011 - 04:02 PM

Member

Topic Starter
Member
14 posts

Well, that's sad to hear. I'm ready to reformat anyway, but it'll have to wait for a few hours as I have to leave.

Any idea what specific malware it is? And how it came in to my system despite my firewall/Antivirus? All I know is it's some kind of Chinese backdoor that uses sqlserver to call cmd to ftp to somewhere (whew

). I really don't want to have to deal with this again.

Would I be more secure against this, say, if I use Windows 7 and run Windows XP SP2 from a virtual box?

#23 $Recurring TR\Dropper.Gen: post #23$
SweetTech

Posted 25 August 2011 - 05:22 PM

Sir SpamAlot

Retired Staff
7,671 posts

Hi!

You seem to have like a cocktail of malicious infections.

A couple of them are: Win32/Agent.SBX trojan, variant of Win32/Farfli.FX trojan, and Win32/PcClient.NGZ trojan.

I think the fact that you had uTorrent and an outdated service pack installed, where part of the problem.

If you want to stick with Windows XP, then you really need to update to Service Pack 3 or as you suggested, could always upgrade to Windows 7, and run Windows XP in a Virtual Machine.

Does a certain utility required for work require the use of Windows XP SP 2? Any reason you're not able to update to Service Pack 3?

#24 $Recurring TR\Dropper.Gen: post #24$
mjhermano

Posted 26 August 2011 - 06:49 AM

Member

Topic Starter
Member
14 posts

Yeah, the SP2 is a necessity. One of the drivers of an old business software I use only works for SP2 and it never was updated for SP3. So I have to use SP2.

I guess the Virtual Machine is the best solution. I know torrenting is evil (and is probably the major reason I have this problem), but would using uTorrent on a Linux VM reduce the vulnerabilities?

Also, there are infections that can persist through a reformat, right? Would you say it would be unlikely in my case?

#25 $Recurring TR\Dropper.Gen: post #25$
SweetTech

Posted 26 August 2011 - 05:10 PM

Sir SpamAlot

Retired Staff
7,671 posts

Yeah, the SP2 is a necessity. One of the drivers of an old business software I use only works for SP2 and it never was updated for SP3. So I have to use SP2.

hmm.. Okay. If you need SP2, then I'd definitely look into using a VM with

I guess the Virtual Machine is the best solution. I know torrenting is evil (and is probably the major reason I have this problem), but would using uTorrent on a Linux VM reduce the vulnerabilities?

Torrenting is evil. It really depends.. Linux users typically don't see viruses, but I think using Linus may reduce the vulnerabilities.

Also, there are infections that can persist through a reformat, right? Would you say it would be unlikely in my case?

Well if you back-up any files that are infected, then yes, they can survive a reformat.

#26 $Recurring TR\Dropper.Gen: post #26$
SweetTech

Posted 31 August 2011 - 06:00 PM

Sir SpamAlot

Retired Staff
7,671 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal · Next Unread Topic →

As Featured On:

Geeks to Go Forum 343,322 topics
Quick Links FAQ Malware Cleaning Guide How it Works
Downloads 2+ million

View New Content

Recurring TR\Dropper.Gen

#16 $Recurring TR\Dropper.Gen: post #16$
mjhermano

Posted 24 August 2011 - 05:17 PM

Advertisements

#17 $Recurring TR\Dropper.Gen: post #17$
SweetTech

Posted 24 August 2011 - 05:28 PM

#18 $Recurring TR\Dropper.Gen: post #18$
mjhermano

Posted 25 August 2011 - 03:02 AM

#19 $Recurring TR\Dropper.Gen: post #19$
SweetTech

Posted 25 August 2011 - 02:32 PM

#20 $Recurring TR\Dropper.Gen: post #20$
mjhermano

Posted 25 August 2011 - 03:24 PM

#21 $Recurring TR\Dropper.Gen: post #21$
SweetTech

Posted 25 August 2011 - 03:50 PM

#22 $Recurring TR\Dropper.Gen: post #22$
mjhermano

Posted 25 August 2011 - 04:02 PM

#23 $Recurring TR\Dropper.Gen: post #23$
SweetTech

Posted 25 August 2011 - 05:22 PM

#24 $Recurring TR\Dropper.Gen: post #24$
mjhermano

Posted 26 August 2011 - 06:49 AM

#25 $Recurring TR\Dropper.Gen: post #25$
SweetTech

Posted 26 August 2011 - 05:10 PM

Advertisements

#26 $Recurring TR\Dropper.Gen: post #26$
SweetTech

Posted 31 August 2011 - 06:00 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us

Recurring TR\Dropper.Gen

#16 mjhermano Posted 24 August 2011 - 05:17 PM

Advertisements

#17 SweetTech Posted 24 August 2011 - 05:28 PM

#18 mjhermano Posted 25 August 2011 - 03:02 AM

#19 SweetTech Posted 25 August 2011 - 02:32 PM

#20 mjhermano Posted 25 August 2011 - 03:24 PM

#21 SweetTech Posted 25 August 2011 - 03:50 PM

#22 mjhermano Posted 25 August 2011 - 04:02 PM

#23 SweetTech Posted 25 August 2011 - 05:22 PM

#24 mjhermano Posted 26 August 2011 - 06:49 AM

#25 SweetTech Posted 26 August 2011 - 05:10 PM

Advertisements

#26 SweetTech Posted 31 August 2011 - 06:00 PM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us

Sign In

#16 $Recurring TR\Dropper.Gen: post #16$
mjhermano

Posted 24 August 2011 - 05:17 PM

#17 $Recurring TR\Dropper.Gen: post #17$
SweetTech

Posted 24 August 2011 - 05:28 PM

#18 $Recurring TR\Dropper.Gen: post #18$
mjhermano

Posted 25 August 2011 - 03:02 AM

#19 $Recurring TR\Dropper.Gen: post #19$
SweetTech

Posted 25 August 2011 - 02:32 PM

#20 $Recurring TR\Dropper.Gen: post #20$
mjhermano

Posted 25 August 2011 - 03:24 PM

#21 $Recurring TR\Dropper.Gen: post #21$
SweetTech

Posted 25 August 2011 - 03:50 PM

#22 $Recurring TR\Dropper.Gen: post #22$
mjhermano

Posted 25 August 2011 - 04:02 PM

#23 $Recurring TR\Dropper.Gen: post #23$
SweetTech

Posted 25 August 2011 - 05:22 PM

#24 $Recurring TR\Dropper.Gen: post #24$
mjhermano

Posted 26 August 2011 - 06:49 AM

#25 $Recurring TR\Dropper.Gen: post #25$
SweetTech

Posted 26 August 2011 - 05:10 PM

#26 $Recurring TR\Dropper.Gen: post #26$
SweetTech

Posted 31 August 2011 - 06:00 PM