MWB won't load infected with MBR, trojan and DNS Hijacker

[Steve Pierce]

ComboFix 10-05-24.07 - Liz 05/25/2010 12:11:08.5.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.174 [GMT -6:00]

Running from: c:\steve\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

E:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))

.

2010-05-25 05:44 . 2010-05-25 05:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-05-25 05:44 . 2010-05-25 05:44 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-25 05:43 . 2010-05-25 05:43 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-05-25 05:43 . 2010-05-25 05:43 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-25 05:43 . 2010-05-25 05:43 -------- d-----w- c:\windows\system32\drivers\Avg

2010-05-25 05:43 . 2010-05-25 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-05-25 05:36 . 2010-05-25 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-24 22:59 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-24 22:59 . 2010-05-24 22:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-24 22:59 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-24 01:48 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\MPSigStub.exe

2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\PCHealth

2010-05-24 01:39 . 2010-05-24 01:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth

2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\program files\Seagate

2010-05-24 01:26 . 2010-05-24 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate

2010-05-24 01:25 . 2010-05-24 01:25 -------- d-----w- c:\documents and settings\Liz\Local Settings\Application Data\Downloaded Installations

2010-05-24 01:25 . 2010-05-24 01:25 -------- d-sh--w- c:\windows\ftpcache

2010-05-24 01:11 . 2010-05-24 01:11 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-05-23 18:27 . 2010-05-23 18:27 -------- d-----w- C:\Steve

2010-05-23 18:21 . 2010-05-23 18:21 -------- d-----w- c:\program files\Trend Micro

2010-05-22 21:34 . 2010-05-22 21:34 -------- d-----w- c:\windows\system32\DRVSTORE

2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\program files\Lavasoft

2010-05-22 21:33 . 2010-05-22 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-05-22 17:48 . 2010-05-22 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2010-05-22 15:38 . 2010-05-22 15:38 -------- d--h--w- c:\windows\PIF

2010-05-21 23:12 . 2010-05-21 23:12 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes

2010-05-21 23:11 . 2010-05-21 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-17 15:05 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-05-17 15:05 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll

2010-05-16 01:21 . 2010-05-12 17:21 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-12 17:21 . 2010-05-12 17:21 221568 ----a-r- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\MPSigStub.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-10 06:15 . 2004-09-15 04:12 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-04 20:11 . 2010-03-04 20:11 111 ----a-w- c:\program files\WS_FTP.LOG

2010-03-03 04:36 . 2010-03-03 04:36 18702178 ----a-w- c:\program files\HB20100302203045.bkp

2010-02-25 06:24 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-01 21:26 . 2010-02-01 21:26 98180904 ----a-w- c:\program files\iTunesSetup.exe

2005-12-21 03:59 . 2005-12-21 03:59 349182 ----a-w- c:\program files\pow101m-upd.zip

2005-12-21 03:55 . 2005-12-21 03:55 8922629 ----a-w- c:\program files\powsetup.exe

.

((((((((((((((((((((((((((((( SnapShot_2010-05-24_20.58.59 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-12 02:54 . 2009-07-12 02:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll

+ 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll

+ 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll

+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll

+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll

+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll

+ 2009-07-12 02:32 . 2009-07-12 02:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll

+ 2009-07-12 02:32 . 2009-07-12 02:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll

+ 2009-07-12 02:32 . 2009-07-12 02:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll

+ 2009-07-12 02:32 . 2009-07-12 02:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll

+ 2009-07-12 07:07 . 2009-07-12 07:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll

+ 2009-07-12 07:19 . 2009-07-12 07:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll

+ 2009-07-12 07:12 . 2009-07-12 07:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll

+ 2009-07-12 07:09 . 2009-07-12 07:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll

+ 2009-07-12 07:08 . 2009-07-12 07:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll

+ 2010-05-25 05:36 . 2010-05-25 05:36 424448 c:\windows\Installer\2ad7b9.msi

+ 2009-07-12 02:46 . 2009-07-12 02:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll

+ 2009-07-12 02:46 . 2009-07-12 02:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-04-19 16:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" [X]

"nwiz"="nwiz.exe" [2002-07-16 372736]

"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

"EPSON Stylus Photo 820 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 74240]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]

"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-05-25 05:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

"c:\\Program Files\\Previews on Windows\\rteng6.exe"=

"c:\\Program Files\\Previews on Windows\\preorder.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2010 11:43 PM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2010 11:44 PM 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/24/2010 11:36 PM 308064]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]

R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [10/28/2002 11:57 PM 177280]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [5/24/2010 11:43 PM 430152]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVG9WD

*NewlyCreated* - AVGLDX86

*NewlyCreated* - AVGMFX86

.

Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-1202660629-1343024091-1003Core1cac69baaf0f680.job

- c:\documents and settings\Liz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-02 22:23]

2010-05-25 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]

2010-05-25 c:\windows\Tasks\MpIdleTask.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02]

2010-05-25 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://dons.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-25 12:21

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)

c:\windows\system32\wininet.dll

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

Completion time: 2010-05-25 12:24:52

ComboFix-quarantined-files.txt 2010-05-25 18:24

ComboFix2.txt 2010-05-24 22:25

ComboFix3.txt 2010-05-24 21:02

ComboFix4.txt 2010-05-22 20:13

ComboFix5.txt 2010-05-25 18:09

Pre-Run: 7,496,663,040 bytes free

Post-Run: 7,528,448,000 bytes free

- - End Of File - - 6346CD006B94E3F751F68A588CD98DF0

[Maniac]

What is this?

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

In my first post, I wrote the following:

Do not install or uninstall any software or hardware, while work on.

Please uninstall your AVG. Maybe your question is: Why? , but my answer is: Because should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them.

Let me know how are things now.

[Steve Pierce]

Yes I chastised the owner as well for installing AVG without telling me.

It got put on without my knowing about it. I put a sign on the computer, not to be touched except by me, that should stop this from happening again.

- Steve

[Steve Pierce]

MBAM still does not run. It opens and closes immediately.

[Maniac]

Please upload in www.virustotal.com these files:

c:\program files\HB20100302203045.bkp

c:\program files\powsetup.exe

[Steve Pierce]

www.virustotal.com results:

c:\program files\HB20100302203045.bkp 17MB file This is a file used with a database and this is a backup file.

Results 0/41 0% hits

http://www.virustotal.com/analisis/a802801...b067-1274821905

c:\program files\powsetup.exe 8.51MB Order processing system

Results 0/41 0%

http://www.virustotal.com/analisis/172148b...8026-1274822230

I don't think either of these files are infected.

[Steve Pierce]

Success, I found the offending file. I will send details in a bit.

[Maniac]

Please perform a full scan with Microsoft Security Essentials and let me know about the resault.

[Steve Pierce]

Malwarebytes completed its scan. Found another file. Cleaned and removed it. Rebooted and re-ran Malwarebytes and it finished clean this morning.

Rebooted. Security Essentials was able to run and successfully update. First time that has worked in a while. MSSE is running now. We will post results.

File found was ccun.dat in /document and settings/liz/localsettings/temp/ccun.dat

AVG said it was Trojan Horse PSW.Generic 7.ccdy.

Problem was found using AVG Rescue CD and booting from the CD. Scan was slow, took about 4 hours but found the file. We renamed, rebooted then deleted the file. We then found the registry entry and removed it as well. It was in Drivers32/midi9 and the file was called with a command ccun.dat 2yAPFDOFNF.

Removed the registry entry, scanned for any other occurences, emptied the trash and then rebooted.

Success.

[Maniac]

Any progress?

[Steve Pierce]

Yes, MSSE came back clean scanning both C and E Drive.

[Maniac]

Perfect!

Any other problem?

[Steve Pierce]

I think we are good to go. Thanks!

- Steve

[Maniac]

Good work!

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

Please manually delete mbr, DDS, RootRepeal and mbam-clean.

Step 3

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing!

[Steve Pierce]

What do I do about defogger. We didn't undo any of the changes it made.

[Maniac]

Oh, I'm so so sorry, Steve!

To enable CD Emulation programs using DeFogger please perform these steps:

1. Please download DeFogger to your desktop.
   
2. Once downloaded, double-click on the DeFogger icon to start the tool.
   
3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
   
4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
   
5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
   
6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.