Hi all,

Trying to get rid of a pretty bad infection. Avast identifying as Rootkit, Win32:Agent-PSI, Alureon, Kryptik etc. Keeps dropping files into C:\Windows\Temp where Avast stops them running further.

I think I’ve managed to remove it using updated versions of
MBAM
TDSSKiller
Avast 5.1.889

Running Win XP SP3 with all updates and IE8.

Last scans with MBAM and TDSSKiller show nothing.

I ran OLT. Logs are attached.

One line has me concerned:

SRV - [2011/01/18 22:18:19 | 000,726,016 | ---- | M] (xqcygzfnpu Corporation) [Auto | Running] – C:\WINDOWS\system32\igztjxpk.dll – (pspuqclm)

Avast hasn’t thrown up any warnings in the last half hour as compared to one every minute or so previously.

However it did throw up a warning about mail settings. I’ve attached that as a jpeg. Strange that it said that the mail program was iexplore.exe. Is this Trojan activity?

Welcome any assistance.

Cheers

The avast popup ( your picture) has to do with this
http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=458

Or you have a program using the same ports as a mailclient,
if i remeber correct there was some issues with torrent program doing this

Hi could you post the TDSSKiller log please

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV - [2011/01/18 22:18:19 | 000,726,016 | ---- | M] (xqcygzfnpu Corporation) [Auto | Running] -- C:\WINDOWS\system32\igztjxpk.dll -- (pspuqclm) IE - HKU\S-1-5-21-1004336348-162531612-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 129.12.3.75:3128 FF - prefs.js..network.proxy.http: "localhost" FF - prefs.js..network.proxy.http_port: 8118 FF - prefs.js..network.proxy.socks: "localhost" FF - prefs.js..network.proxy.socks_port: 9050 FF - prefs.js..network.proxy.socks_remote_dns: true FF - prefs.js..network.proxy.ssl: "localhost" FF - prefs.js..network.proxy.ssl_port: 8118 FF - prefs.js..network.proxy.type: 1 O2 - BHO: () - {58D23ECB-4E84-5E1E-7785-724E09764E6A} - C:\WINDOWS\system32\igztjxpk.dll (xqcygzfnpu Corporation) NetSvcs: pspuqclm - C:\WINDOWS\system32\igztjxpk.dll (xqcygzfnpu Corporation) [2011/01/18 22:18:19 | 000,726,016 | ---- | C] (xqcygzfnpu Corporation) -- C:\WINDOWS\System32\igztjxpk.dll [2011/01/18 23:44:06 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\ocyii.sys [2011/01/18 22:18:19 | 000,726,016 | ---- | M] (xqcygzfnpu Corporation) -- C:\WINDOWS\System32\igztjxpk.dll [2011/01/17 19:17:03 | 000,000,007 | ---- | M] () -- C:\Documents and Settings\Brian\Application Data\uid_pal [2011/01/18 22:42:16 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\mfcoqe.sys

:Files
ipconfig /flushdns /c
C:\WINDOWS\tasks\At*.job

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Not clean yet. Another .DAT file was dropped into temp dir. MBAM found 6 items. 1 dll in system32. Removed those now with MBAM.

TDSS log attached.

Will run OLT again

MBAM log prior to removing.

New OLT logs with custom scan

OTL failed to remove the driver so we need a stronger tool

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Ran Combofix. At the end of the stages it started deleting files. Before it finished got blue screen. Rebooting and will run again.

On reboot Avast was already running and it flagged the dll.

Turned off Avast and ran Combofix. It did not delete anything this time. Log attached.

igztjxpk.dll is still present in System32.

Turned Avast back on and it is flagging again.

Will try Combofix another time.

Damn… I just noticed when I ran OTL that I clicked on “Run Scan” instead of “Run Fix”.

I started all over again. Ran MBAM which removed 2 items. Then did the custom OTL with “Run Fix”. I got a report on this saying that it deleted or moved items but I can’t find a copy of that log.

So I rebooted and ran OTL Quick scan. Log attached.

Avast is quiet now and the Windows\Temp folder is empty apart from Avast.

Fingers crossed.

It looks OK now. Another OTL log attached.

For the heck of it I ran MBRCheck. Log of that attached too. It says the MBR code of my second drive is non-standard. Is that unusual?

Is the drive now at position 1 your old drive from either another system or this one that was a dell or HP or something like that ? The file has gone so lets kill the control set now as well

What problems do you have now ?

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV - File not found [Auto | Stopped] -- -- (pspuqclm) O2 - BHO: () - {58D23ECB-4E84-5E1E-7785-724E09764E6A} - File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

No real problems showing now since I ran the “Run Fix” on OTL last night.
Get occasional blue screen + immediate reboot but I could not even boot when I first got the infection.

I just want to be sure before I trust this PC again.

For info

465 GB \.\PhysicalDrive0 Windows XP MBR code detected
This drive has a small partiton (80 GB) with XP on it.
The second partiton contains most of my installed program files and other files.

232 GB  \\.\PhysicalDrive1   Unknown MBR code

This drive is not partitioned. Just used for file storage.

OTL log attached as requested.

How often are the blue screens ? And do they occur when you are running a specific programme

Never during normal use, although I haven’t loaded up any resource hogging progs since I got infected. Will do that now.

It’s always on reboot I think, don’t recall a straight boot giving a problem.

I get a bluescreen for a fraction of a second, too short to read anything, then reboot.

If they occur again we will turn on reporting so that we can see what is causing the problem

how would you do that?

…and thanks for all the help!!