File created in system32 after every boot

Hi Doug

As you have run through our READ & RUN ME FIRST Before Asking for Support info, please attach th erequested logs and one of our malware gurus will be able to assit you in removing these.

 

You are using old versions of GetRunKey and ShowNew. You need to download the current versions and use them from now on.

Question: Did you disable auto play on all possible drives in your system? The below registy key shows that they are all disabled.

You need to go in an manually cleanup all the garbage being reported in multiple email accounts!
C:\Documents and Settings\Doug Simmons\Application Data\Mozilla\Profiles\default\as4ksfqe.slt\Mail
C:\Documents and Settings\Doug Simmons\Application Data\Mozilla\Profiles\default\as4ksfqe.slt\Mail
C:\Documents and Settings\Doug Simmons\Application Data\Thunderbird\Profiles\bous6ilw.default\Mail
G:\Temp\Users\doug777\Mail\inbox.sbd
H:\Netscape\Users\doug777\Mail\Inbox
H:\Netscape\Users\doug777\Mail\Trash

Now let's continue with your malware and other cleanup!

• First Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to STOPzilla Local Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteSTOPzilla Local Service into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now Uninstall the below old versions of software:
J2SE Development Kit 5.0 Update 4
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.0_03
Java 2 Runtime Environment, SE v1.4.1_02
Mozilla Firefox (1.5.0.8)

Now install the current version of Sun Java from: Sun Java
Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox


If you need the Sun Java Development kit you can get it here: http://java.sun.com/javase/downloads/index.jsp


Now make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft User Management] winuser.exe
O4 - HKLM\..\RunServices: [Microsoft User Management] winuser.exe
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\SuperCD\IntraLaunch.CAB

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
c:\windows\system32\winuser.exe

Now run Ccleaner.

Now reboot in normal mode
Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Try the below patch! Overwrite the previous fixMe.reg patch.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Just double click on the outer border of the Task Manager window.

 

That IP address is for a location in Taiwan.

It appears that your TrendMicro Firewall may not be blocking somethings that it should be blocking. Have you had any problems with it? Check the internal settings to see what applications are being allowed internet access. See if there is anything you do not recognize (or that you recognize as being bad). I'm not familiar with TrendMicro's firewall so I don't know what they call it or where it will be, but make sure the Internet Security Zone is set to Stealth Mode to completely hide your PC from the internet. Also check to see what level your Trusted Zone is set too.

If the above winfile32.exe has just appeared after you attach the previous logs, I need new logs from GetRunKey, ShowNew, and HJT.

Also, please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

 

Let's make sure your Trend Micro is current!

What scan engin version for Trend Micro are you running? It should be Version 8.320 You can get it here if necessary. http://www.trendmicro.com/download/engine.asp

Also what is your Pattern File? The current one should be Official Pattern Release 3.997.00 If you don't have this, then download it and install it. Get it here if necessary: http://www.trendmicro.com/download/viruspattern.asp

After getting these updates installed, follow the below procedure.


Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Disable System Restore. See the below if you don't know how to do this:

Disable And Enable System Restore


Make sure you are in normal boot mode. Disconnect your cable to the internet (unplug it).

Then run a full scan with TrendMicro. Make sure you scan ALL FILES. Let it fix what it finds. Save a log if possible.

Reboot your PC and reconnect your cable to the internet.

Tell me if anything is found. Attach a log if you were able to save one otherwise tell me if anything was found.

Install the below Microsoft Patch if your system has not already been updated to this:

http://www.microsoft.com/technet/security/Bulletin/MS00-035.mspx

 

Those last three indicate you are missing some necessary Windows Updates. Goto the below link and install your updates make sure you check for both Windows Updates and other Microsoft software updates (like MS Office ....etc).

Windows Update

 

• Download the attached GetWF.zip file.
• Extract the two files inside the ZIP to the same folder where you have extracted the files for ShowNew.
• This should put two new files (GetWF.bat and zip.exe) into the ShowNew folder.
• Locate the GetWF.bat file and double click on it to run it.
• This will create a log named c:\filelist.txt and will also compress the log into a file named c:\filelist.zip. Attach the filelist.zip file to your next message. The file is being compressed because it can become quite large and this will keep the size with in the boundaries of attachment sizes limits.

 

Well there's a load of files in that log but I'm not finding anything that stands out as a problem. All of the files you mentioned that are showing up have different trojan/virus names and do slightly different things. Here is some info on them, just click the blue hot links and it will take you to the information:

Winfile32.exe - Rbot.EQV

winprgs32.exe - WORM_SDBOT.AFA - you did not show this one but it seems related.

dllrun32.exe - WORM_RBOT.BAC

winsockx.exe - WORM_SDBOT.AUW

taskmng.exe - WORM_SOHANAD.H

mws.exe - WORM_RBOT.PJ

msdns.exe - WORM_TANG.A

msdevelop.exe - WORM_RBOT.CYL

a.bat - BAT_BATTEN.A

In the log posted thus far, I'm not seeing any signs of any of these! We may need to peek into the registry at some service entries. But first, since TrendMicro updated today, lets give there new definitions a run AFTER WE DISABLE System Restore.

Disable System Restore ( see Disable And Enable System Restore )
Install the below and perform a scan and see if anything else is found.

• • Trend Micro Pattern File for Windows 4.103.00

 

You should start reading thru the other links too.

It's doing it job in catching the files once they are on your PC, the question is how are they getting there. There has to be a process somewhere the is creating these. Can you run a cople of tests (or maybe answer without the test)?

1. If you reboot your PC with your cable to the internet disconnected (unplug the cable) and DO NOT open any browsers. Just let the PC sit there or just run things not needing a connection to the net. Do you get infections appearing?
2. If the answer is no to number 1, how about if you reboot with your internet connection enabled (plugged in) and DO NOT open any browsers at all. Just let the PC sit there. Do you get infections appearing?

It found a new one:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_VIRUT.A

How do you connect to the internet (dial-up, cable, DSL)? Do you have a router?

 

Download the attached GetCCSS.zip file and extract both files from it into a folder (put them in the same folder as ShowNew.bat). Then run the GetCCSS.bat file. It will createtwo files, c:\servicelist.txt and c:\servicelist.zip

Upload the servicelist.zip file here. The servicelist.txt file is going to be very large and that is why I compressed it into the servicelist.zip file so it could be uploaded. It is going to take me awhile to look thru this for anything bad.

 

Download it again from the same link!

 

Ah! Then I would definitely recommend that you get yourself a router inbetween your ADSL Modem and your PC. All newer routers have a hardware firewall in them and this will give you an added layer of protection and isolate your PC from the net.

 

I did not notice anything in that huge ServiceList file! But it is rather difficult to sort thru all of that manually. You get eye weary!


Now run this procedure: Using Sophos Anti-Rootkit

Now let's run another rootkit detector (sometime one program picks up things the others don't). Please run this AVG Anti-Rootkit and save a log

Now attach the below new logs and tell me how the above steps went.

1. sarscan.log from Sophos
2. AVG Anti-Rookit log

Now Please download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Make sure that ONE and only one Internet Explore browser session is open.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on iexplore.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list. Call this one iexplore.txt
• Post it back here as an attachment.

Now repeat the above procedure but select explorer.exe instead of iexplore.exe and save a new log call this one explorer.txt

Attach the iexplore.txt and explore.txt logs!

 

I'm not sure if you specifically answered my question earlier. If you keep your internet connection unplugged for a day (or however long you think it would normally take to come back) do the files reappear? Or do they only reappear when a connection is available.


Do you have internet access in safe mode? Do these files re-appear (after cleaning) if you only stay booted in safe mode.

 

Okay! This could indicate that the problem may be coming in from outside. If this is the case it may be that your firewall is letting things in that should not be. Can the firewall in Trend Micro be uninstall or just disabled? I would like to replace it with ZoneAlarm (at least while trying to debug this problem). Here is my proposal and it is important to follow the steps in the order given:

1. Dowload ZoneAlarmFree
2. Unplug your cable to the internet
3. Uninstall or disable Trend Micro's firewall. If uninstall was needed, reboot.
4. Install ZoneAlarmFree and reboot again after install (it should prompt you to do this anyway).
5. Configure ZoneAlarm after reboot (it will do most of it automatically)
6. If ZoneAlarm complains at any point that no network connection is available, you will have to reconnect the cable at that point. Otherwise reconnect the cable after the setting up ZoneAlarm.

Now make sure you have delete all the bad files....etc. Now let's see if the problems come back also note exactly what messages popup in ZoneAlarm. If you don't recognize something as being valid, don't give it access thru ZoneAlarm. Obviously you already know the malware filenames so if they show up, block them.

This will be an interesting test which should be done before the above install of ZoneAlarm.

 

You're welcome!

That is what I suspected when in message number 9 I said:

And then in message #22 when I asked

Make sure you work thru the below ASAP!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!