Malicious .INI file

Whilst in the process of cleaning a client's PC, I came across some malicious files that seemed to slip past just about every scan except for Avira, and even Avira didn't pick up everything. The main "payload" was a file named "setup201.fon" and was disguised as a font. It basically attacked USB flash drives with a malicious "autorun.inf". The file "srv9fc.tmp" was loaded as a service at boot and I believe it rebuilt "setup201.fon" if it had been removed, but it also had a 'child' file named "srv9fc.ini". The contents of the INI file are listed below (I edited the IP address to avoid anyone from visiting it). The "setup201.fon" file also created some 'porn' shortcuts named "myporn.avi" and "pornmovs". Anyway, my question is this: is it possible that the INI file listed below was sending data (like passwords and banking info) to the IP address listed in the file?

Or was this INI file simply downloading the "setup201.fon" malicious file at each boot if the .FON file was missing?

 

Not sure if there is a definitive answer to that, but probably safe to assume the worst.
MSE detects *setup201.fon* as Win32/Meredrop, here. OP had a Tdl4 but chose not to pursue.
Did you clean up manually or run some scanners?
Logs from those may divulge some info on other friends setup201.fon might have had.

Cheers..

 

If its a Trojen i would run the malwarebytes program too make sure its still not in the system.

 

Both - since most scanners including MBAM and SuperAntiSpyware didn't detect the files, I had to manually remove most of the infection. Avira did detect and remove 2 of the files, but the malicious service and it's related registry entries required manual removal. I have since run numerous other programs (TDSSkiller, HJT, etc) just to be sure I didn't miss anything. The owner of the PC didn't bring me the PC for virus removal; she thought it just needed a tune up and more RAM because she said it was slow when online. In the process of doing ANY tune up, I always run Autoruns. It was there that I noticed the SRV9FC service; when a listed start up service has a .TMP extension and is in C:\WINDOWS\TEMP, you know something is wrong.