Hi, we got one file that keeps coming back. We’ll track down the source.
we have a driver to kill
Please follow all previous instructions regarding security programs.
Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
KillAll::
File::
C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\ntptdb.sys
Rootkit::
C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys
C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\ntptdb.sys
Driver::
apcdli
ntptdb
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall
It may have injected this file.
Please submit these files for analysis
To submit a file to virustotal, please click on this link
www.virustotal.com
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
C:\WINDOWS\system32\winlogon.exe
scroll down a bit and click “send file”, wait for the results and post then in your next reply.
You have two folder I can’t read the names of. This is what I get in the logs. Can you please try to find them going by the time stamp?
2008-03-14 09:53 C:\Program Files\Öйú½¨ÉèÒøÐÐ
2008-03-14 17:53 C:\Program Files\Öйú½¨ÉèÒøÐÐ
And do you know what this is? It’s full of ini files
C:\Program Files\mfvz
We’ll work on the autoruns at the same time as removing some other things.
To help prevent future autorun infections.
Download this program, Flash Drive Disinfector by sUBs from
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe
Without any usb devices attached, we want to protect your hard drives as best we can.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
This utility will do a couple of things. First it will remove any autorun.inf it finds. There shouldn’t be one on a fixed HD anyway. There is no need for such a file on any removable storage device – iPod, USB flash drive, cell phone, .etc as you can open these drives manually.
It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart.
We will do your C:, T:\ and one D:\ drive so keep track of which drive you used. Plug it in before you run the follwing program.
Download “Clean Autoruns”:From HERE
http://forums.techguy.org/attachments/103397d1176780296/clean-autoruns.zip
Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.
Please post those.
Please download
OTMoveIt2 by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
D:\autorun.inf
C:\mwtkwro.exe /s
D:\mwtkwro.exe /s
T:\mwtkwro.exe /s
C:\sxs2.exe /s
D:\sxs2.exe /s
T:\sxs2.exe /s
C:\WINDOWS\system32\mprmsgse.axz
C:\Program Files\Tencent
C:\Program Files\ZoneAlarmSB
C:\FOUND.000
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f01b2e40-46d6-11db-a212-00023f1a0857}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{000fe7b0-73a0-11db-a28d-00023f1a0857}
Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)
Run flashdrive disinfector again with that drive still attached.
After reboot remove the usb drive and insert another and run this fix in OTMOVEIT2, remember in the box under the yellow bar.
D:\mwtkwro.exe /s
D:\sxs2.exe /s
D:\autorun.inf
Again run flashdrive disinfecter with the drive attached. Repeat with the last fix and flashdrive disinfecter until all D:\ storage devices are done. I know it’s a pain, but with the infection showing in D:, there’s no way of knowing whitch is infected. The drives should be protected any way.
Finally, we need to look at your system from a slightly different angle.
Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
.
Log required:
OTMOVEIT2 results, you can put them together on one notepad, just leave a couple of spaces so I can tell each run.
Clean Auotruns log 1&2
DSS logs
virustotal results
directory names
Thanks