Possible malware due to download of CDBurnerXP

A week ago I wanted to copy some home DVD's so I visited a reputable forum to see what was suggested. The site recommended both CDBurnerXP by Canneverbe (most recommended) from CDBurnerXP.se and DeepBurner by Astonsoft from www.deepburner.com.

The site links were given here so I clicked on both and went to both sites to download these programs to my desktop. Both sites were rated GREEN by WOT so this added some assurance and I assumed that they might be safe. Still, I uploaded these 2 programs from my desktop to http://virusscan.jotti.org/ to scan and double check; they came back clean. I then installed and tried running both programs. I later decided to just use the CDBurnerXP to copy one DVD which seemed to copy okay and viewed fine.

About 1-2 days later I ran my Antivir anti-virus program and it found 3 items noted as "heuristic malware-suspect" which it quarantined; these 3 files were very old ones which I would not miss anyway. Due to concern I uploaded these to the Antivir server via the program for analysis which is pending. I also uploaded a copy of the .exe file for the install download for both of these programs; both analysis pending too.

Several days later while watching the original DVD (which should be write protected) using my PowerDVD (DELL) program, I watched the program. I tried to go t a section at the end by sliding the bar instead of fast-forwarding with the button. Then I paused it and tried to capture a image which I pasted into the paint program to save. Somehow the DVD or player got corrupted from doing this or it may have been corrupted due to malware that may have affected various system processes.

I am concerned so I scanned several times with both antivir AV (found nothing new), Malarebytes -(both in safe and normal mode found nothing). I ran Super-antispyware in safe mode (found nothing). I ran McCafee Stinger in safe mode (found nothing). I cleaned temp files several times using CCleaner and ATF-Cleaner.

I need to determine whether these downloaded programs affected my machine in a bad way by adding/deleting processes or by changing the registry etc. Also, I need to find out if these programs may have caused the problem with my DVD reader by installing malware.

I have followed your protocol and I have attached the following logs for your review.

1. Super anti-spyware SASlog.txt
2. Malwarebytes mbam-log.txt
3. Combofix

I could not get the Window Recovery Console to install by dragging its icon over to the combofix.exe icon so I had to run this 3 times, The 3rd time manually activating my firewall then going online at the prompt to download it. There are thus 3 combofix logs with the 2nd being abridged as it was quite long since the program did a system snap shot listing many programs. [I REALIZE I PROBABLY SHOULD NOT HAVE DONE THIS SO FORGIVE ME IN ADVANCE]

Regarding the Combofix logs:

The 1st log had 5 items under "OTHER DELETIONS"; programs which were saved in C:Qoobox/Quarantine.

1. 1st file was for my logitech webcam-NO ISSUE
2. C:\windows\system32\drivers\etc\lmhosts
3. C:\windows\system32\drivers\npf.sys
4. C:\windows\system32\drivers\qyhkgaorjces.sys
5. C:\windows\system32\pthreadVC.dll

-lmhosts and npf.sys seemed like important system processes from reading google accounts.
-pthreadVC.dll seemed like a very likely malware per threatexpert.com site
-...\qyhkgaorjces.sys seems like malware especially since no mention was found via a google search

The 2nd log had 1 item under "OTHER DELETIONS"; programs which were saved in C:Qoobox/Quarantine

C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (this may be associated with the logictech controller)

The 3rd log had no items under "OTHER DELETIONS".

The Combofix logs (3) are attached for your review.

The following day I started up my computer but my Spybot teatimer which I had activated the before shutting down the previous day noted numerous attempts to change the registry which I blocked. The internet connection would NOT work.

I promptly went to the C:\Qoobox\quarantine folder and removed the .VIR end and renamed\copied the following files back to their original locations.

1. C:\windows\system32\drivers\etc\lmhosts
2. C:\windows\system32\drivers\npf.sys

After rebooting the system I regained my internet connection. Also, a antivirus alarm that went off when running CCleaner detecting C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll as a trojan stopped going off.

Presently, my printer cannot print pages from the web which it was able to do previously. Also, I was unable to copy files to either my CD or CD/DVD drives. I was however able to watch the DVD home video yet it was still corrupted in the area of concern.

Please review these logs and let me know which files should or should not be deleted/quarantined.

Also, HOW DO I REPLACE FILES/REGISTRY SETTINGS BACK TO WHAT THE ORIGINALLY WERE IF THEY WERE CHANGED/QUARANTINED BY COMBOFIX?

(This episode makes it evident that you really need to know what these processes are doing which Combofix quarantines before allowing it to do so and shutting off your computer. The program should have a setting such that "SUSPECT" files/registry entries are just listed and not changed/quarantined)

4. Root Repeal Log RRLog.txt
5. MGTools Log as C:\MGLogs.zip file

Thank you for taking the time to look at my malware problem and for reviewing my logs. I appreciate any assistance that you can provide in resolving my problems.

I await your analysis and recommendations before I do anything else.

 

Re: Possible malware due to download of CDBurnerXP -part 2

Logs attached

 

I must update you regarding some events that occurred after downloading and running Root Repeal & MGtools last night then compiling my previous composed message.

Prior to shutting my computer off (WHICH I HAVE NOT DONE YET SINCE POSTING) I ran CCleaner which when run caused my Antivir program GUARD alarm to sound noting a detection. This detection was quarantined. I then ran the Antivir SCAN overnight which found the below items which have been quarantined.

ANTIVIR DETECIONS FOUND AND QUARANTINED 1/11/10

GUARD DETECTED FILES (AFTER RUNNING CCLEANER) –(ABOUT 2:50am)

Virus or unwanted program 'TR/Drop.Agent.bkfi [trojan]'
detected in file 'C:\Documents and Settings\Administrator\Local Settings\temp\BblP2xop.exe.part.
Action performed: Move file to quarantine

Virus or unwanted program 'TR/Drop.Agent.bkfi [trojan]'
detected in file 'C:\Documents and Settings\Administrator\Local Settings\temp\sGC_BYOT.exe.part.
Action performed: Move file to quarantine

SCANNER DETECTED (ABOUT 3:30am)

The file 'C:\MGtools.exe'
contained a virus or unwanted program 'TR/Drop.Agent.bkfi' [trojan]

The file 'C:\System Volume Information\_restore{7EB6AA0C-6AFF-4E85-BE49-FCEB306B36DD}\RP1\A0000684.exe'
contained a virus or unwanted program 'TR/Drop.Agent.bkfi' [trojan]

Moved to quarantine
====
Then I ran Malwarebytes antimalware which found 4 items which were quarantined and/or removed. (see attached log to)


Edit by chaslang: Inline MBAM log removed. Logs need to be attachments.


These files may be from the MGtools or other programs which were run per the malware removal instructions and may not be a problem. PLEASE REVIEW AND ADVISE.
=======

I am also posting my SpyBot teatimer LOG. As stated earlier, I definitely turned OFF the teatimer prior to running Combofix. Prior to turning the system off the teatimer was re-activated.

When re-starting the computer the following morning (yesterday) many processes requested permission to make changes due to the Combofix modifications. I denied all changes per the log posted below (and attached) indicates. Since my computer could not connect to the Internet etc. and for reasons mentioned earlier I restored certain quarantined files back to their original places. System was re-booted and Internet connection was restored.

SpyBot teatimer report


Edit by chaslang: Inline Teatimer log removed. Logs need to be attachments.


Later in the evening I downloaded the Root Repealer & MGtools then ran them and posted the main message here with the attachments. I must note(as it just occurred to me) that the teatimer may have been on during this time by mistake. Thus, the MGtools which ran at about 12:02 am ran with the teatimer activated as you can see in the below posted Spybot log which notes 2 denials for changes to the registry at this time. [My apologies...I hope this does not affect the review and I don't need to re-run this again.] Please make give me advise as to what to do based on the information given already.

I am most concerned with what to do regarding the changes made by ComboFix. Again, how do I restore changes made by this program to the files/registry? What changes did the program make that need to be undone? ]PLEASE ADVISE.

Thanks for your assistance.

 

I tried to follow the instructions the best that I could. My apologies if I deviated from the procedure a bit.

I have turned off tea-timer. I do not usually use this function but I forgot to turn it off after running the additional programs after I re-turned it on.

I await your instructions for what I have already done and what to do next.

Thank you for your assistance.

 

I have done the following per your instructions:

1)I added the JAVA(TM) 6 Update 17 per the site instructions from the Major geeks site.. However, I was unable to uninstall the J2SE Runtime Environment 5.0 Update 11 from the Add/Remove section in the control panel.

I got the following error message: "Error applying transforms. Verify that specified transform paths are correct."

2) I turned off the tea-timer in Spybot. I also checked to confirm in tools>startup programs to be certain that it would not start up from those settings.

3) I uninstalled the old version of the Spybot 1.4 (Thanks for alerting me to that.)

4) I updated Firefox to the 3.5 version from there site. (That is weird as I was just prompted to update to version 3.0.17 within the past few days)

5) I emptied (deleted) entries from the Antivir quarantine and the Malwarebytes quarantine. MGtools.exe was restored to the C: location.

6) I ran my CCleaner and ATF-Cleaner to clean unnecessary files.

7) I ran MSConfig and put my system in NORMAL mode.

8) Re-booted system

9) Disconnected computer from internet and turned off firewall and Antivirus program GUARD.


10) Ran MGTools from C:

I am attaching the MGtools zip file logs. I have also attached the ComboFix-quarantined-files.txt (I am not sure whether you want this but I am attaching it just in case)

After reviewing my add/remove program list there are a number of other programs/services in my Add/Remove programs that can probably be removed as well too. These include A-squared antivirus program, Bonjour service, Housecall 6.6, Kaspersky online scanner, Uniblue Driver Scanner 2009, and the Uniblue Process Scanner.

Please let me know what needs to be restored from the Combofix logs and how to do it.

The pthreadVC.dll from Combofix I believe is associated with my printer. Yesterday, I manually replaced that file to its original location too. The printer worked better after doing this. I do not know what the qyhkgaorjces files/services are so I have left that alone.

I must also note that my printer can print most web sites now(not Major Geeks though!) My CD player can play music CD's. My DVD can play DVD's still. (However, the current video from a DVD of concern still shows corruption at a certain location when played on my PowerDVD player-this may be a software/hardware issue as the DVD is write-protected, I believe. I do not know if I can copy/save files to my CD or DVD yet.

Also, I noticed that when starting my computer, after it shows the DELL logo, it quickly shows the page to switch to various Safe Modes etc. for about 3 seconds. This might be corrected when certain combofix changes are restored.

Thanks again for your assistance.

 

Will this protocol also replace to the registry:
.....\Legacy_NPF
......\Service_NPF

.......or is this something to be done later?

Also, I still cannot go to a web page, click "print preview", then click "print" and have my printer print it like I used to be able to. This may be a function of the NPF routine...I don't know. (Unless, MajorGeeks prevents the from being done on its site) How can this be corrected?

I will do what you asked and post my logs. Thanks.

I was able to copy and paste the above into my Notepad and save it that way.

 

I have completed your updated instructions. Thank you for addressing my concerns in the quoted answers.

I copy/pasted the instructions for the new ComboFix routine to the file CFScript.txt. I had to re-download a new current version of ComboFix as the earlier one expired.

The REGEDIT4 routine was saved to my desktop as fixme.reg too.

I disconnected my computer from the internet and turned off both my antivirus program and firewall. I then dragged the CFScript.txt into ComboFix.exe. I am attaching the log as requested.

-----------------------
Looking through your instructions in CFScript it seems like you have deleted a number of the WINDOWS/TEMP file entries from the HJK log S3 part which were not needed. A few years ago I also installed Anti-Hook with the HipEnforceDriver and Sandboxie with SbieDrvr etc. routines; apparently remnants still remained after I uninstalled this shortly thereafter then. Thanks for deleted these items in the routine. I do not know what the ILS routine is for.

Other items from the S3 of concern include:
S3 MEMSWEEP2
S3 TMPassthruMP
(Looking in the DIR I could not find either of these. The latter might be a Trend Micro routine. These could probably be deleted as well if not necessary or already done. Please evaluate.)

I do not know what the Folder/InfoProcess was for but thanks for deleting it if it was not needed.

I do not know what the drivers/ma8500 etc. were for. Perhaps you can explain what this part of the routine was doing.
------------------------
Looking through the ComboFix Log I noticed that the file qyhkgaorces.sys was restored on 01-11-2010. I reaized that when I manually restored the pthreadVC.dll on 01-11-2010 I also must have restored the qyhgaorces.sys file as well (I realize the latter change was a big mistake given the 'suspect' nature of that file-good thing the service was quarantined.) I deleted the "qyhgaorces.sys file" today.

Prior to deleting the 'qyhgaorces.sys file" I uploaded it to both Virus/Jotti and to VirusTotal for scans; both came out clean. I checked the properties of this file and it turns out that it was from Panda Software 2007 v. 1.0.0.5 with Internal Name: RKPavProc; this was described as part of the Anti-malware Driver Support. Whether or not this is malware it is not needed on my machine (process/Legacy/ service).

ComboFix deleted/quarantined the following files:
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\drivers\npf.sys
c:\windows\system32\pthreadVC.dll

This time I am leaving these files in quarantine pending your evaluation regarding how to handle these.
---------------------------
I tried to delete the files in both of the below folders but was unable to as all files present were of the current date (per your note):
C:\Windows\temp and
C:\Documents and Settings\Administrator\Local Settings\TEMP


I merged the fixme.reg file to my registry. This was successfully entered per a system message.

Next, I ran the Cleaner with the basic settings. The System: Temporary files, Internet Explorer: Temporary internet files, and Firefox: Internet cache boxes were left checked. I'm not sure I quite understood what you meant by not running anything from any other forms; I assume that you did not want me to run anything from the other programs in the CCleaner which I didn't.

I download the updated copy of MGTools.exe and ran this with my Antivirus and Firewall disabled.

I am attaching the comboFix and MGTools Logs for your review.

Is it safe to assume that the Deepburner and CDBurnerXP programs, which I download from supposedly reputable sites, did not contain malware or trojans etc. that may have "piggy-backed' on the download to corrupt my system by adding bad processes or deleting others? [
I will probably uninstall these anyway. I should have just purchased Roxio etc. from a store]

 

Also, I have had a file on my desktop for several years that has 0 KB that I have been unable to delete even by using the Spybot shredder.
"FW_ This will Never happen again in our lifetime."
If you can assist me in deleting this I would appreciate it.

Thanks again. I await your further recommendations. I also look forward to restoring the NPF files/processes/Legacy when appropriate. (I do not know how not having this will affect my machine)

I will probably need to address the DVD player corruption issue on another forum along with other computer maintenance issues which I should address. It seems like the video player routine may have gotten corrupted. Please let me know where to address these other issues when it is appropriate after we finish the malware removal process.

Attached are my logs.

 

This is DEFINITELY malware! I googled the RKPavProc name which was attributed to Panda. Apparently there have been several other posts on other forums in which this process (attributed to Panda) was associated with a garbled-letter file name. All forums regarded this as malware.

Is there a way to find out what this malware process does? Is there a place to submit this file for that type of analysis? If so, please let me know.

You mentioned that I did not need the npf system files/Legacy/Service. Do I need lmhosts and pthread.dll?

Also, what forum should I post to regarding the DVD player problem which may be due to a corruption in that process routine?

I assume that all is corrected on your part and I am done with this malware removal process.

Thank you for your assistance and I hope to hear from you regarding the above questions soon.