MarianAlexandru

December 30, 2012

I downloaded a Microsoft Removal Tool and it found Win32 Sality but it was unable to remove it. Then I downloaded AVG Removal Tool, I ran it and it scanned the system all night(from 2AM to 1PM this morning). The process stucks at some point so I had to reboot the system and start with The last good known configuration that worked. It seems the virus is gone, no suspicious files in C or D drive, and now I can access all anti-virus websites.

Thanks a lot for your help and patience, I really learned something from you.

December 29, 2012

OK, Norton just finished the process and deleted about 20 programs from my system(winrar, Yahoo, utorrent, bsplayer, etc) and also jkon.exe, iyuyu.exe, jmxap.exe(these files get random names and are located on and D drive). But the last three are back after reboot. It seems the virus creates the files as soon as the windows loads. I think I need to check the startup programs and see if I can find anything suspicious.

December 29, 2012

I asked a friend to download NPE for me. He created a .rar archive and sent it to me. Now NPE is running and removing the malwares found. I can see most of .exe files are infected(utorrent, combofix, VLC). I'll post the results as soon as NPE finishes removing the malweare.

December 29, 2012

Can't even download it:

December 29, 2012

Combofix log:

ComboFix 12-12-29.02 - Marian 29.12.2012 17:48:48.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1150.774 [GMT 2:00]

Running from: c:\documents and settings\Marian\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Marian\Desktop\CFScript.txt

.

FILE ::

"C:\vafhd.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\autorun.inf

c:\documents and settings\Marian\My Documents\MSDCSC\msdcsc.exe

C:\qadc.exe

C:\vafhd.exe

D:\autorun.inf

.

((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-29 )))))))))))))))))))))))))))))))

.

2012-12-29 14:12 . 2012-12-29 14:12 92160 ----a-w- C:\aklremover.exe

2012-12-28 15:32 . 2012-12-29 15:53 -------- d-----w- c:\windows\system32\CatRoot2

2012-12-27 10:13 . 2012-12-27 10:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-12-27 10:13 . 2012-09-29 17:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-27 10:08 . 2012-12-27 10:08 -------- d-----w- C:\TDSSKiller_Quarantine

2012-12-22 22:08 . 2012-12-22 22:13 -------- d-----w- c:\documents and settings\Marian\Application Data\Realore All My Gods

2012-12-22 10:41 . 2012-12-22 10:41 -------- d-----w- c:\documents and settings\Marian\Application Data\AlawarEntertainment

2012-12-22 10:40 . 2012-12-22 10:40 -------- d-----w- C:\Downloads

2012-12-22 10:00 . 2012-12-22 10:05 -------- d-----w- c:\documents and settings\Marian\Application Data\adelantado_big_fish_en

2012-12-22 09:56 . 2012-12-22 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games

2012-12-22 09:54 . 2012-12-22 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache

2012-12-19 22:13 . 2012-12-19 22:13 -------- d-----w- c:\documents and settings\Marian\Application Data\Canneverbe Limited

2012-12-19 22:13 . 2012-12-19 22:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited

2012-12-19 20:15 . 2012-12-29 00:32 -------- d-----w- c:\documents and settings\Marian\Application Data\vlc

2012-12-19 20:14 . 2012-12-19 20:14 -------- d-----w- c:\program files\VideoLAN

2012-12-18 14:31 . 2012-12-18 14:31 -------- d-----w- c:\program files\Axantum

2012-12-09 13:13 . 2012-12-10 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\notracks.com

2012-12-09 12:28 . 2012-11-22 13:10 380240 ----a-w- c:\windows\system32\EasyRedirect.dll

2012-12-03 17:38 . 2012-12-03 17:43 -------- d-----w- c:\documents and settings\Marian\Application Data\Charles

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-11 19:58 . 2012-08-18 13:38 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-11 19:58 . 2012-08-18 13:38 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-12 13:43 . 2012-08-18 14:14 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-10-12 13:43 . 2012-08-18 14:14 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-12-06 06:27 . 2012-12-06 06:27 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

Cryptography Services Error !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-03-12 81920]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]

"62.75.206.182,255.255.255.255,10.10.13.113,1"=""

"173.245.61.58,255.255.255.255,10.10.13.113,1"=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"d:\\vipmetin2\\metin2client.bin"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Documents and Settings\\Marian\\Desktop\\mbar-1.01.0.1011\\mbar\\fixdamage.exe"=

"c:\\WINDOWS\\system32\\Ati2evxx.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=

"c:\\Documents and Settings\\Marian\\Desktop\\ComboFix.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=

"c:\\Documents and Settings\\Marian\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

"c:\\Program Files\\Glary Utilities\\initialize.exe"=

.

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [10/26/2012 9:35 PM 156800]

R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [10/26/2012 9:35 PM 5248]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [12/27/2012 12:13 PM 399432]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2012 12:13 PM 676936]

R3 amsint32;amsint32;\??\c:\windows\system32\drivers\noqlno.sys --> c:\windows\system32\drivers\noqlno.sys [?]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/27/2012 12:13 PM 22856]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - AMSINT32

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-29 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-18 19:58]

.

2012-12-29 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2012-08-19 23:22]

.

2012-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1604221776-839522115-1003Core.job

- c:\documents and settings\Marian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-09-16 11:09]

.

2012-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1604221776-839522115-1003UA.job

- c:\documents and settings\Marian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-09-16 11:09]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = about:blank

IE: E&xport în Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: Interfaces\{F9160D27-4F22-4362-BF46-B754F8EF40A7}: NameServer = 213.154.124.1 193.231.252.1

FF - ProfilePath - c:\documents and settings\Marian\Application Data\Mozilla\Firefox\Profiles\5rewtv1m.default-1352558750515\

FF - ExtSQL: 2012-11-10 16:51; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\documents and settings\Marian\Application Data\Mozilla\Firefox\Profiles\5rewtv1m.default-1352558750515\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi

FF - ExtSQL: 2012-12-03 19:41; {3e9a3920-1b27-11da-8cd6-0800200c9a66}; c:\documents and settings\Marian\Application Data\Mozilla\Firefox\Profiles\5rewtv1m.default-1352558750515\extensions\{3e9a3920-1b27-11da-8cd6-0800200c9a66}.xpi

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-12-29 17:59

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1177238915-1604221776-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(680)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(2928)

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Java\jre7\bin\jqs.exe

c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

.

**************************************************************************

.

Completion time: 2012-12-29 18:02:03 - machine was rebooted

ComboFix-quarantined-files.txt 2012-12-29 16:01

ComboFix2.txt 2012-12-29 14:30

ComboFix3.txt 2012-12-28 11:27

ComboFix4.txt 2012-12-27 20:59

.

Pre-Run: 8.343.384.064 bytes free

Post-Run: 8.295.497.728 bytes free

.

- - End Of File - - 137EB10C1C24674BA1A3A930942CB02F

December 29, 2012

I downloaded NPE from another website but once the download reaches 100% the virus blocks it, if I try to run NPE I get this error: "NPE.exe is not a valid Win32 application"

December 29, 2012

The virus is blocking the website, can you give me the direct link for download?

December 29, 2012

Yes I ran the uninstaller found on their website, I tried to run it from different locations with no result.

ComboFix log:

ComboFix 12-12-29.02 - Marian 29.12.2012 16:17:37.4.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1150.809 [GMT 2:00]

Running from: c:\documents and settings\Marian\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\autorun.inf

c:\documents and settings\Marian\Local Settings\Application Data\NGen.exe

D:\autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AMSINT32

-------\Service_amsint32

.

((((((((((((((((((((((((( Files Created from 2012-11-28 to 2012-12-29 )))))))))))))))))))))))))))))))

.

2012-12-29 14:12 . 2012-12-29 14:12 92160 ----a-w- C:\aklremover.exe

2012-12-28 18:11 . 2012-12-29 00:21 103140 ----a-w- C:\vafhd.exe

2012-12-28 15:32 . 2012-12-29 14:08 -------- d-----w- c:\windows\system32\CatRoot2