Trojan.tracur infection

Should this have removed this infection successfully? Where might I have picked it up, attempt to use Frostwire to download Matlab and PaintShop PRO?

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6711

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

29/05/2011 13:11:02
mbam-log-2011-05-29 (13-11-02).txt

Scan type: Full scan (C:|D:|Q:|)
Objects scanned: 331077
Time elapsed: 55 minute(s), 10 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
c:\Windows\SysWOW64\KBDCZ232.exe (Trojan.Tracur.SGen) → 2276 → Unloaded process successfully.
c:\programdata\icsigd32.exe (Trojan.Tracur.SGen) → 3268 → Unloaded process successfully.
c:\Users\MCGA\AppData\Roaming\SysWin\lsass.exe (Trojan.Tracur.SGen) → 3468 → Unloaded process successfully.
c:\Windows\sqlserverspatialwow.exe (Trojan.Tracur.SGen) → 1224 → Unloaded process successfully.

Memory Modules Infected:
c:\programdata\api-ms-win-core-misc-l1-1-032.dll (Trojan.Tracur.S) → Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{0ED4C89D-152A-4D16-AD41-0B5B94571439} (Trojan.Tracur.S) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{0ED4C89D-152A-4D16-AD41-0B5B94571439} (Trojan.Tracur.S) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{0ED4C89D-152A-4D16-AD41-0B5B94571439} (Trojan.Tracur.S) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{0ED4C89D-152A-4D16-AD41-0B5B94571439} (Trojan.Tracur.S) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT.fsharproj (Trojan.BHO) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RTHDBPL (Trojan.Tracur.SGen) → Value: RTHDBPL → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqlserverspatialwow.exe (Trojan.Tracur.SGen) → Value: sqlserverspatialwow.exe → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dsdmowow.exe (Trojan.TracurW.Gen) → Value: dsdmowow.exe → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.S) → Bad: (C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll) Good: () → Quarantined and deleted successfully.

Folders Infected:
c:\Users\MCGA\AppData\Roaming\SysWin (Trojan.Agent) → Quarantined and deleted successfully.

Files Infected:
c:\Windows\SysWOW64\KBDCZ232.exe (Trojan.Tracur.SGen) → Quarantined and deleted successfully.
c:\programdata\api-ms-win-core-misc-l1-1-032.dll (Trojan.Tracur.S) → Quarantined and deleted successfully.
c:\programdata\icsigd32.exe (Trojan.Tracur.SGen) → Quarantined and deleted successfully.
c:\Users\MCGA\AppData\Roaming\SysWin\lsass.exe (Trojan.Tracur.SGen) → Quarantined and deleted successfully.
c:\Windows\sqlserverspatialwow.exe (Trojan.Tracur.SGen) → Quarantined and deleted successfully.
c:\Windows\System32\KBDCZ232.exe (Trojan.Tracur.SGen) → Quarantined and deleted successfully.
c:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-032.dll (Trojan.Tracur.S) → Quarantined and deleted successfully.
c:\Users\MCGA\downloads\retrogamer.exe (Adware.FunWeb) → Quarantined and deleted successfully.
c:\Windows\System32\api-ms-win-core-misc-l1-1-032.dll (Trojan.Tracur.S) → Quarantined and deleted successfully.
c:\Windows\System32\icsigd32.exe (Trojan.Tracur.SGen) → Quarantined and deleted successfully.
c:\Windows\SysWOW64\icsigd32.exe (Trojan.Tracur.SGen) → Quarantined and deleted successfully.

Firefox still hijacked. I can’t include the OTS scan here either in-line (>10000 characters) or as an attachment. Tried zipped but that’s not an allowed attachment.

MWB is still scanning clean. I’m getting the occasional (tbh seems less often than before) hijack when I browse to a new location.

If it is large to attach then upload to Mediafire and post the sharing link.

Also run this small programme and post the log

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

OTS scan → http://www.mediafire.com/?tp6mcmm8ub51gkd

MWB scan still showing up clean.
aswMBR scan attached.

Thanks in advance. Can already tell there is great support given on this forum.

I see you are also running McAfee - it is never advisable to run two antivirus programmes together. On completion of these runs can you let me know what problems remain

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Processes - Safe List]
YY -> sqlserverspatialwow.exe -> c:\Windows\SqlServerSpatialwow.exe
YY -> lsass.exe -> C:\Users\MCGA\AppData\Roaming\SysWin\lsass.exe
YY -> kbdcz232.exe -> C:\Windows\SysWOW64\KBDCZ232.exe
YY -> icsigd32.exe -> C:\ProgramData\icsigd32.exe
NY -> arcademovieservice.exe -> C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe
NY -> mwldaemon.exe -> C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
[Registry - Safe List]
< FireFox Extensions [User Folders] > -> 
YY -> XUL Cache   -> C:\Users\MCGA\AppData\Roaming\Mozilla\Firefox\Profiles\7mncn221.default\extensions\{0bb23e34-0308-4b1f-bc65-f16cb8b1656c}
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {0ED4C89D-152A-4D16-AD41-0B5B94571439} [HKLM] -> C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-032.dll [Reg Error: Value error.]
< 64bit-Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "Locked" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "Locked" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "RTHDBPL" -> C:\Users\MCGA\AppData\Roaming\SysWin\lsass.exe [C:\Users\MCGA\AppData\Roaming\SysWin\lsass.exe]
YY -> "sqlserverspatialwow.exe" -> c:\Windows\SqlServerSpatialwow.exe [c:\windows\sqlserverspatialwow.exe]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "dsdmowow.exe" -> [C:\Windows\dsdmowow.exe]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll -> C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
[Files/Folders - Created Within 30 Days]
NY ->  6B302AE0024CFC5016EDA52DAD96BEC7 -> C:\ProgramData\6B302AE0024CFC5016EDA52DAD96BEC7
NY ->  api-ms-win-core-misc-l1-1-032.dll -> C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll
NY ->  SysWin -> C:\Users\MCGA\AppData\Roaming\SysWin
NY ->  api-ms-win-core-misc-l1-1-032.dll -> C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-032.dll
NY ->  MinGW -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MinGW
NY ->  MinGW -> C:\MinGW
[Files/Folders - Modified Within 30 Days]
NY ->  52992060 -> C:\ProgramData\52992060
NY ->  api-ms-win-core-misc-l1-1-032.dll -> C:\ProgramData\api-ms-win-core-misc-l1-1-032.dll
NY ->  2025271312 -> C:\Windows\SysWow64\2025271312
NY ->  icsigd32.exe -> C:\Windows\SysWow64\icsigd32.exe
NY ->  api-ms-win-core-misc-l1-1-032.dll -> C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-032.dll
NY ->  KBDCZ232.exe -> C:\Windows\SysWow64\KBDCZ232.exe
NY ->  icsigd32.exe -> C:\ProgramData\icsigd32.exe
NY ->  Äõ4 -> C:\Windows\Äõ4
NY ->  pó“ -> C:\Windows\pó“
[Files - No Company Name]
NY ->  SqlServerSpatialwow.exe -> C:\Windows\SqlServerSpatialwow.exe
NY ->  52992060 -> C:\ProgramData\52992060
NY ->  icsigd32.exe -> C:\ProgramData\icsigd32.exe
NY ->  KBDCZ232.exe -> C:\Windows\SysWow64\KBDCZ232.exe
NY ->  icsigd32.exe -> C:\Windows\SysWow64\icsigd32.exe
NY ->  2025271312 -> C:\Windows\SysWow64\2025271312
NY ->  Äõ4 -> C:\Windows\Äõ4
NY ->  pó“ -> C:\Windows\pó“
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

THEN

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

OTS log → http://www.mediafire.com/?bw8a1ibzbc1zrg9

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6722

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

30/05/2011 08:40:00
mbam-log-2011-05-30 (08-40-00).txt

Scan type: Quick scan
Objects scanned: 172331
Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\MCGA\downloads\xvidsetup.exe.part (Adware.Hotbar) → Quarantined and deleted successfully.

What problems remain ?

Still occasionally being redirected to sites designed to look like windows, with scary “you are infected, please run this, please stay on this web page message boxes”. Also other sites about tools to clear or scan. This is when, for example, I click on a Google search and select a link to Wikipedia. This has probably only happened twice this morning since the latest scans. I’ll continue to monitor.

I’m afraid to use Internet Banking for the moment or book anything using credit card details.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

http://www.mediafire.com/?o3o5ujauni4

Just to mention, screen resolution keeps reducing automatically.

Could you attach the combofix log please as Mediafire appears to have lost it

http://www.mediafire.com/?o3o5uja

Too big to attach, but I was also to download it from MediaFire just now.

Nope still can’t get it

Could you split the log and attach please

http://www.filefactory.com/file/ccae549/n/ComboFix.txt

Try here please. I tried splitting in two, each half was still over 10000 characters.

Not seeing browser redirections any more. Have also not noticed a resolution change today.

You should be able to attach it to the post, not copy and paste. Since the file is only 31.09KB it would be within the 200KB limit for a text file.

You can use the Additional Options, in the reply window to attach files. See second image, click to expand.

File attached

What are your current problems ?

Think I’m good now. Sorry it has taken a while to supply ComboFix log. Thought you might spot something in it or say it all looks good now.