Mfeed.in Redirect Returns

[dinosaur58]

Ken545 - Thanks for all your help. My system is saved from the dreaded Format and Reinstall [Microsoft Tech support's answer to everything]. I'll be safer from now on.
Dinosaur58

[dinosaur58]

bump bump

[dinosaur58]

After reboot from OTC I had my anitivirus protection turned off for Eset removal process. Failed to restart it [duh] and surfed to: http://forums.adobe.com/thread/522601 to find out if I can disable the new startup processes that Adobe installed. After reading in the forum for about 2 minutes a pop-up appeared : allweddingworld
As usual the scripts were blocked by NoScript. This is exactly the behavior from the infection we are working on. Note: a Microsoft Malicious SRT update had downloaded and was waiting to install. I allowed the install and after reboot it said "Malicious software was detected and partially removed." It requested a full scan [in progress now] "can take up to several hours on some computers." Darn! D58

[dinosaur58]

Tried to edit out the bad link [thought I had a few minutes to edit post] instead it reposted. NOTE TO ALL: DO NOT FOLLOW THE -ALLWEDDINGWORLD- LINK!!!!!
D58 P.S. Adimns - please remove 2nd post and disable/remove bad link.

[ken545]

Something must have been put back, lets get rid of this program, first see if you can find it in Add Remove Programs and uninstall it , either way run this script

Drag Combofix to the trash and grab a fresh copy

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop



Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Rootkit::

Code:

Driver::
GNUAN

File::
c:\documents and settings\administrator\local settings\Temp\GNUAN.exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

[dinosaur58]

No Combofix in add/remove. Installed new copy to desktop and tried to run script. At around stage 3 there was a windows error message [looked like a DEP message] saying 'PEV.cfxxe has encountered an error and needs to close..' I closed the message box and Combofix seemed to resume normally. Here is the log.
WWWWWWWWWWW
ComboFix 10-07-19.02 - Administrator 07/20/2010 5:57.12.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1456 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.COMPUTER\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\administrator\local settings\Temp\GNUAN.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GNUAN
-------\Service_GNUAN


((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-20 11:42 . 2010-07-20 11:42 1014 ----a-w- c:\windows\system32\drivers\mgtryuwv.dat
2010-07-20 11:41 . 2010-07-20 11:41 8832 ----a-w- c:\windows\system32\drivers\RASACD.SYS
2010-07-20 09:26 . 2010-07-20 09:26 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-19 18:42 . 2010-07-19 18:42 -------- d-----w- c:\program files\ESET
2010-07-18 20:21 . 2010-07-18 20:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2010-07-12 14:56 . 2010-07-12 14:56 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-12 10:35 . 2010-07-12 10:35 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
2010-07-08 14:04 . 2010-07-08 14:04 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 11:36 . 2010-07-07 11:36 293376 ----a-w- C:\6bg39okp.exe
2010-07-06 15:57 . 2010-07-06 15:57 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Apple Computer
2010-07-05 18:36 . 2010-07-05 18:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-05 18:36 . 2010-07-18 17:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 15:11 . 2010-07-04 15:11 503808 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcp71.dll
2010-07-04 15:11 . 2010-07-04 15:11 499712 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\jmc.dll
2010-07-04 15:11 . 2010-07-04 15:11 348160 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4658bb77-n\msvcr71.dll
2010-07-04 15:11 . 2010-07-04 15:11 61440 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-sse.dll
2010-07-04 15:11 . 2010-07-04 15:11 12800 ----a-w- c:\documents and settings\Administrator.COMPUTER\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-65417641-n\decora-d3d.dll
2010-07-04 15:11 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 12:08 . 2010-07-01 12:08 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
2010-07-01 10:02 . 2010-07-01 10:02 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
2010-06-30 08:30 . 2010-06-30 08:46 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-30 08:30 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-30 08:30 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-30 08:30 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\program files\Avira
2010-06-30 08:30 . 2010-06-30 08:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-06-30 06:50 . 2010-06-30 06:50 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\program files\Common Files\iS3
2010-06-30 06:03 . 2010-06-30 06:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-06-29 14:02 . 2010-06-29 14:02 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 14:30 . 2007-10-23 22:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-09 17:55 . 2010-06-09 17:55 -------- d-----w- c:\documents and settings\Administrator.COMPUTER\Application Data\Topaz Moment
2010-06-09 17:06 . 2010-06-09 17:06 -------- d-----w- c:\program files\Topaz Labs LLC
2010-06-01 15:02 . 2007-10-23 22:52 120280 ----a-w- c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:56 . 2007-12-14 00:01 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 21:39 . 2008-07-20 15:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2008-07-20 15:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2004-04-09 21:13 . 2007-10-23 22:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"atwtusb"="atwtusb.exe" [2007-03-20 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 02:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 02:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 22:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 02:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 10:33 PM 22528]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/30/2010 02:30 AM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 04:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 04:11 AM 3904]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 03:59 AM 50944]
S1 stkowqfi;stkowqfi;\??\c:\windows\system32\drivers\stkowqfi.sys --> c:\windows\system32\drivers\stkowqfi.sys [?]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 04:31 PM 161064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 06:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3624)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2010-07-20 06:13:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-20 12:13

Pre-Run: 86,872,752,128 bytes free
Post-Run: 86,978,068,480 bytes free

- - End Of File - - 14B6EDBBB57A16A624A4D9129486DED3
WWWWWWWWWWWWWWWW
I found 'ComboFix-quarantined-files.txt'in Qoobox. It mentions GNUAN.
WWWWWWWWWWWWWWWW
2010-07-20 12:12:29 . 2010-07-20 12:12:30 922 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-HijackThis.reg.dat
2010-07-20 12:06:12 . 2010-07-20 12:06:14 2,686 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_GNUAN.reg.dat
2010-07-20 12:06:12 . 2010-07-20 12:06:14 782 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_GNUAN.reg.dat
2010-07-20 12:06:05 . 2010-07-20 12:06:06 4,931 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-20 11:57:28 . 2010-07-20 11:57:30 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2010-07-20 11:55:53 . 2010-07-20 11:55:54 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
WWWWWWWWWWWWW
Probably just saying what it looked for?
D58

[ken545]

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Driver::

Code:

Driver::
stkowqfi

File::
c:\windows\system32\drivers\mgtryuwv.dat
c:\windows\system32\drivers\RASACD.SYS
c:\windows\system32\drivers\stkowqfi.sys

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply






You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again


C:\6bg39okp.exe

If the site is busy you can try this one

http://virusscan.jotti.org/en

[dinosaur58]

Combofix runs same as last time, but near end of run desktop blanks out leaving only combofix window. After reboot system runs disk check [no errors found], then starts normally, but no combofix window and no combofix log. Also new folder appears on C: drive named combofix seeming to contain complete system mirror [including a mirror copy of new combofix folder= recursion]. Did not try to delete the new mirror folder. What now? D58

[dinosaur58]

Had Virustotal ReScan file:
WWWWWWWWWWWWWWWWWW
Antivirus Version Last Update Result
AhnLab-V3 2010.07.20.02 2010.07.20 -
AntiVir 8.2.4.12 2010.07.20 -
Antiy-AVL 2.0.3.7 2010.07.15 -
Authentium 5.2.0.5 2010.07.20 -
Avast 4.8.1351.0 2010.07.20 -
Avast5 5.0.332.0 2010.07.20 -
AVG 9.0.0.836 2010.07.20 -
BitDefender 7.2 2010.07.20 -
CAT-QuickHeal 11.00 2010.07.20 -
ClamAV 0.96.0.3-git 2010.07.20 -
Comodo 5486 2010.07.20 -
DrWeb 5.0.2.03300 2010.07.20 -
Emsisoft 5.0.0.34 2010.07.20 -
eSafe 7.0.17.0 2010.07.19 Win32.TrojanHorse
eTrust-Vet 36.1.7723 2010.07.20 -
F-Prot 4.6.1.107 2010.07.19 -
F-Secure 9.0.15370.0 2010.07.20 -
Fortinet 4.1.143.0 2010.07.20 -
GData 21 2010.07.20 -
Ikarus T3.1.1.84.0 2010.07.20 -
Jiangmin 13.0.900 2010.07.20 -
Kaspersky 7.0.0.125 2010.07.20 -
McAfee 5.400.0.1158 2010.07.20 -
McAfee-GW-Edition 2010.1 2010.07.20 -
Microsoft 1.6004 2010.07.20 -
NOD32 5295 2010.07.20 -
Norman 6.05.11 2010.07.20 -
nProtect 2010-07-20.02 2010.07.20 -
Panda 10.0.2.7 2010.07.19 -
PCTools 7.0.3.5 2010.07.20 -
Prevx 3.0 2010.07.20 -
Rising 22.57.01.04 2010.07.20 -
Sophos 4.55.0 2010.07.20 -
Sunbelt 6606 2010.07.20 -
SUPERAntiSpyware 4.40.0.1006 2010.07.20 -
Symantec 20101.1.1.7 2010.07.20 -
TheHacker 6.5.2.1.320 2010.07.19 -
TrendMicro 9.120.0.1004 2010.07.20 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.20 -
VBA32 3.12.12.6 2010.07.20 -
ViRobot 2010.6.21.3896 2010.07.20 -
VirusBuster 5.0.27.0 2010.07.20 -
Additional information
File size: 293376 bytes
MD5...: f80f6e09e7f4bafe478ca0da6137e1e2
SHA1..: 719082766cf4f60c8bdaa2b2c9f6967ecbcf8722
SHA256: 682fd0d13d7caf4b17a1eb9bafa0a3c3598139bb3623d3f5fba3bfbd0a6d424a
ssdeep: 6144:Uwbg2xeuJgWM/S1tm/xCIoQPJVZCzw5bEPb3cV9iYpTkyTFHS2:Uw82IZWM
61tUXRd9IPb3cVZkyp/
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xb3f40
timedatestamp.....: 0x4b2763f0 (Tue Dec 15 10:24:48 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x6d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x6e000 0x47000 0x46200 7.93 7b777c30b7f75e5eb654691bb1616dcb
.rsrc 0xb5000 0x2000 0x1400 3.38 710fb4291f153e98a3a03f3473b8bfd6

( 1 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
packers (F-Prot): UPX
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: 1, 0, 15, 15281
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
WWWWWWWWWWWWWWWWWW
Only one hit. D58

[ken545]

Hi,

Sorry for the delay but I have been away and off line all day.

C:\ComboFix.txt <-- Have you tried going here and looking for the last log ?


How are things running now ?