Solved Malware not detected by anti-virus; ping.exe and redirect

I'll remove infected meiudf.sys file.
Let me know if it had any impact on your DVD drive.

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKU\S-1-5-21-1966462703-706777120-1833522803-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O15 - HKU\S-1-5-21-1966462703-706777120-1833522803-1006\..Trusted Domains: microsoft.com ([*.update] http in Trusted sites)
O15 - HKU\S-1-5-21-1966462703-706777120-1833522803-1006\..Trusted Domains: microsoft.com ([*.update] https in Trusted sites)
O15 - HKU\S-1-5-21-1966462703-706777120-1833522803-1006\..Trusted Domains: microsoft.com ([update] http in Trusted sites)
O15 - HKU\S-1-5-21-1966462703-706777120-1833522803-1006\..Trusted Domains: microsoft.com ([update] https in Trusted sites)
O15 - HKU\S-1-5-21-1966462703-706777120-1833522803-1006\..Trusted Domains: microsoft.com ([windowsupdate] http in Trusted sites)
O15 - HKU\S-1-5-21-1966462703-706777120-1833522803-1006\..Trusted Domains: windowsupdate.com ([download] http in Trusted sites)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[2011/12/20 09:19:20 | 000,005,730 | -HS- | M] () -- C:\Documents and Settings\Owen\Local Settings\Application Data\edycjw4c3dcq4pvx4nml0f141n4q
[2011/12/20 09:19:20 | 000,005,730 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\edycjw4c3dcq4pvx4nml0f141n4q
[2011/10/24 19:56:35 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~1kAlMiG2Kb7FzPr
[2011/10/24 19:56:34 | 000,000,232 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~1kAlMiG2Kb7FzP
[2011/10/24 19:56:09 | 000,000,456 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1kAlMiG2Kb7FzP
[2011/10/24 14:15:47 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
[2011/10/24 14:15:46 | 000,000,232 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
[2011/10/24 13:29:11 | 000,000,456 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk


:Services

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" =-

:Files
C:\WINDOWS\system32\drivers\meiudf.sys

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

==============================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
OTL Fix Log

Broni,

Thanks so much for your help on Christmas of all days! We may change the name of the day to Bronimas around here if this keeps up. Below is the OTL Fix log. Other files coming soon.

Thanks again.

OdieOss

----

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{BA52B914-B692-46c4-B683-905236F6F655} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA52B914-B692-46c4-B683-905236F6F655}\ not found.
Registry value HKEY_USERS\S-1-5-21-1966462703-706777120-1833522803-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry key HKEY_USERS\S-1-5-21-1966462703-706777120-1833522803-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\*.update\ deleted successfully.
Invalid CLSID key: *.update
Registry key HKEY_USERS\S-1-5-21-1966462703-706777120-1833522803-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\*.update\ not found.
Invalid CLSID key: *.update
Registry key HKEY_USERS\S-1-5-21-1966462703-706777120-1833522803-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\update\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1966462703-706777120-1833522803-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\update\ not found.
Registry key HKEY_USERS\S-1-5-21-1966462703-706777120-1833522803-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\windowsupdate\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1966462703-706777120-1833522803-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\windowsupdate.com\download\ deleted successfully.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
C:\Documents and Settings\Owen\Local Settings\Application Data\edycjw4c3dcq4pvx4nml0f141n4q moved successfully.
C:\Documents and Settings\All Users\Application Data\edycjw4c3dcq4pvx4nml0f141n4q moved successfully.
C:\Documents and Settings\All Users\Application Data\~1kAlMiG2Kb7FzPr moved successfully.
C:\Documents and Settings\All Users\Application Data\~1kAlMiG2Kb7FzP moved successfully.
C:\Documents and Settings\All Users\Application Data\1kAlMiG2Kb7FzP moved successfully.
C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr moved successfully.
C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk moved successfully.
C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring deleted successfully.
========== FILES ==========
C:\WINDOWS\system32\drivers\meiudf.sys moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56516 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 434 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 17995 bytes

User: Owen
->Temp folder emptied: 51205887 bytes
->Temporary Internet Files folder emptied: 2162822 bytes
->Java cache emptied: 462321649 bytes
->FireFox cache emptied: 31759236 bytes
->Flash cache emptied: 3089576 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 44607 bytes

Total Files Cleaned = 525.00 mb


[EMPTYFLASH]

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: Owen
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 12252011_155943

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
Security Check Log

Hi Broni,

Update on computer performance. It runs fine once it is loaded. Haven't seen any processes out of the ordinary. It takes 15+ minutes to start up in normal mode. Not sure what the story is but it is a slow start up.

Still need to: (1) find a DVD to check the DVD drive and (2) fiddle on the internet to ensure there aren't any re-directs.

I ran scans all afternoon. The ESET scanner ran for four hours before the computer seemingly turned off on its own. I am in the process of running it again. Before it turned off it had found another Trojan Virus (note: Win32/Sirefef.DA trojan). Will post the log of that after letting it re-run overnight.

The Security Check log is below.

Feliz Bronimas!

Thanks,

OdieOss


---------------

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec AntiVirus
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 17
Out of date Java installed!
Adobe Flash Player 11.0.1.152
Mozilla Firefox (3.6.24) Firefox Out of Date!
Mozilla Thunderbird (3.1.16) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
Symantec AntiVirus DoScan.exe
``````````End of Log````````````
 
1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
 
ESET Scan Log

Hi Broni,

I am attaching the ESET Scan Log below. JAVA has been fully updated and old versions removed.

OdieOss

-------------------


C:\Documents and Settings\Owen\Desktop\meiudf.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP1557\A0142233.exe a variant of Win32/Kryptik.XTE trojan
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP1557\A0142234.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP1557\A0142246.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP1557\A0142253.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP1557\A0142264.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP1557\A0143265.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP1557\A0143491.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP1557\A0143498.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP1557\A0143510.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP1557\A0143586.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP1557\A0143666.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP1557\A0143749.sys Win32/Sirefef.DA trojan
C:\_OTL\MovedFiles\12252011_155943\C_WINDOWS\system32\drivers\meiudf.sys Win32/Sirefef.DA trojan
 
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
OTL Fix Log, Take 2

Hi Broni,

Here is the OTL log from the first step of the cleanup process. More to come.

Thanks,

OdieOss


All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Owen
->Temp folder emptied: 18776224 bytes
->Temporary Internet Files folder emptied: 38766 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 39996882 bytes
->Flash cache emptied: 1314 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17048 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1070462 bytes

Total Files Cleaned = 57.00 mb


[EMPTYFLASH]

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: Owen
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.31.0 log created on 12262011_151643

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
Final Steps

Hi Broni,

I hope this finds you well.

I have a couple of final questions for you:
1. My DVD driver no longer works. Placing DVD's in the drive causes the computer to respond appropriately but it is not recognized in windows. This isn't so critical, but if you had any suggestions about how to approach it, I would appreciate it. (As you recall we removed the meiudf.sys file).

2. My computer's start up time is pretty slow. I am defragging overnight, and have otherwise followed all the steps outlined. Since you are somewhat familiar with my computer's structure do you have a recommendation about what programs to remove to speed up start up? Are there utilities out there you could recommend.

I remain in your debt.

OdieOss
 
load ups, drivers

Hi Broni,

1. My DVD player is a MATSHITA DVD-RAM UJ-840S. Listed options include: UJ-835, UJ-845. What if we add the two files together and then divide by two?

2. I did a start up test:
Safe Mode: between 5 and 6 minutes
Normal Mode: between 14 and 15 minutes

Thanks,

OdieOss
 
1. Try to install both of them but one at a time and see if it works.

2. You must have some other issues (hardware?).
In this forum, we make sure, your computer is free of malware and your computer is clean :)
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.
 
You're very welcome
smiley_says_hello.gif
 
You must log in or register to reply here.

Similar threads

N
Routers from Asus, Netgear, and Cisco are being targeted by a sophisticated malware campaign
Replies
4
Views
1K
Avro Arrow
Avro Arrow
C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
8K
Broni
Broni
NonTechyDad
Solved Malware removal for my son's pc
2
Replies
33
Views
7K
Broni
Broni

Latest posts

Back