Показано с 1 по 10 из 10.

fighting msvmiode.exe and cfdrive32.exe on XP

  1. #1
    Junior Member Репутация
    Регистрация
    16.08.2010
    Сообщений
    5
    Вес репутации
    50

    fighting msvmiode.exe and cfdrive32.exe on XP

    Hi all,

    I have dificulty fighting msvmiode.exe and cfdrive32.exe on XP. Tried various methods to kill them but they still apears again. I would need help finding a root who creates them. As an effect antivirus sites are blocked, some net trafic is generated, plus in the usb flash drive as soon as they are connected new hiden aurotun.inf and randoim folder + exe is created.
    The latest MS malicious removal tool finds Conficker.C or .B, and Pushbot, telling it is removed, but after reboot they are here again.

    Any ideas what can be done?

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Hello
    - Disconnect your PC from network (internet/intranet)
    - Disable antivirus, firewall and other memory resident security tools
    - Disable System Restore


    - Execute following script
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
    ClearQuarantine;
     TerminateProcessByName('c:\windows\system32\msvmiode.exe');
     TerminateProcessByName('c:\windows\cfdrive32.exe');
     RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','Wireless Zero ConfigurationWZCSvc (XP)');
     RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','Windows Logon Application');
     RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','TCP/IP NetBIOS Helper');
     RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','Spooler SubSystem App');
     RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','Plug and Play');
     RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','NTLM Security Support Provider');
     RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','Local Security Authority Service');
     RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','Background Intelligent Transfer Service');
     RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','Application Layer Gateway service');
     RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Print Spooler');
     RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','MSRPC');
    RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\vjuipt');
    RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\lctlvvrss');
    RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\golkolmzc');
    RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\fopkx');
    RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\fnjibzm');
    RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\fdfrhob');
    RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\Winlogon','Taskman');
     QuarantineFileF('%appdata%', 'exe.*', false, '', 0, 0);
     QuarantineFile('c:\windows\system32\msvmiode.exe','');
     QuarantineFile('c:\windows\system32\11.exe','');
     QuarantineFile('c:\windows\cfdrive32.exe','');
     QuarantineFile('C:\autorun.inf','');
     DeleteFileMask('%appdata%','*.exe', false);
     DeleteFile('C:\WINDOWS\system32\msvmiode.exe');
     DeleteFile('C:\WINDOWS\system32\11.exe');
     DeleteFile('C:\WINDOWS\cfdrive32.exe');
     DeleteFile('C:\autorun.inf');
    DeleteService('vjuipt');
    DeleteService('lctlvvrss');
    DeleteService('golkolmzc');
    DeleteService('fopkx');
    DeleteService('fnjibzm');
    DeleteService('fdfrhob');
    ExecuteWizard('TSW', 2, 2, true);
    ExecuteWizard('SCU', 2, 2, true);
    BC_ImportAll;
    ExecuteSysClean;
    BC_Activate;
    SetAVZPMStatus(True);
    RebootWindows(true);
    end.
    If the system after reboot would try to install any unknown hardware, abort the installtion and remove unknown hardware over hardware manager

    After reboot:

    execute following script
    Код:
    begin
    CreateQurantineArchive('C:\quarantine.zip');
    end.
    - Upload C:\quarantine.zip here: http://virusinfo.info/upload_virus_eng.php?tid=85585
    - Make new logs and attach them to the new posting.

    PS:
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    You system is a great catastrophe - no SP3, no patches, no IE8. Be ready to update your system asap.
    Последний раз редактировалось Rene-gad; 17.08.2010 в 10:29.

  3. #3
    Junior Member Репутация
    Регистрация
    16.08.2010
    Сообщений
    5
    Вес репутации
    50

    still something wrong

    Yes, systems will undergo updates as soon as problems resolved.

    Scrip did a job. At the begining all looked ok, just AVZ find one suspicious file wit "x" name in system foder. I uploaded 2 separate quarantine archives. First one just aftre executing your script, second after new check where "x" file was found (name "quarantine-X.zip").

    However aftre some 30mins, (and may be one more reboot) all antivirus sites (including this) blocked again, and on the lan connection I see that some havy traffic going out to the internet.

    One note that at the end of execution of script system tried to rebood - bacame empty screen in color of desktop and just alive mouse pointer. It stayed long time like this (~5min). Then I hit Ctrl+Atl+Del and right after this it showed Windows LogOff notification and finished reboot.





    Here

  4. #4
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Цитата Сообщение от marco Посмотреть сообщение
    However aftre some 30mins, (and may be one more reboot) all antivirus sites (including this) blocked again, and on the lan connection I see that some havy traffic going out to the internet.
    You system is very vulnerable, that is why you had received your problem back: install SP3 + all updates + IE 8, than repeat all the logs + log of Malwarebytes antimalware www.malwarebytes.org

  5. #5
    Junior Member Репутация
    Регистрация
    16.08.2010
    Сообщений
    5
    Вес репутации
    50

    Upgraded gut no progress

    Upgraded as suggested. However situation is same. Tried to clean with script (adding new file names as from scan) severeal times. Few mins system looks ok, but then starts generating outgoing traffic and blocks virus sites. Looked hosts file - it is ok, so sites blocked elsewhere.
    Some notes:

    Just after reboot pops up "found new hardware" which is not true, so I cancel it.

    Sometimes after reboot systems report svchost service crash. Then lan look like connected, but browser says no connection.

    Also file ..\Application Data\ltzqai.exe is never killed. After script clean up and reboot it is here again while others are still not present and system works ok for few mins.

    I tried to boot from external disk and delete it, or overwirite content with FF's in hex editor, but later it comes again corrected.

    so it looks like msvmiode.exe cfdrive32.exe is already consequence and ltzqai.exe is the cause, while sombody else takes care about ltzqai.exe.
    Also I have feeling that something wrong near network intrface drive(s).

    Any ideas?

  6. #6
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Close/unload all the programs excepted AVZ and Internet Explorer

    Switch off:
    - Antivirus and and, if you have - Firewall.
    - System Restore
    -Fix with Hijackthis
    Код:
    O4 - HKLM\..\Run: [MSODESNV7] C:\WINDOWS\system32\msvmiode.exe
    O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\cfdrive32.exe
    O4 - HKCU\..\Run: [Background Intelligent Transfer Service] C:\Documents and Settings\RTHD\Application Data\bits.exe
    O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\cfdrive32.exe
    - Execute following script
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     TerminateProcessByName('c:\windows\system32\msvmiode.exe');
     TerminateProcessByName('c:\windows\cfdrive32.exe');
     DeleteFile('c:\windows\cfdrive32.exe');
     DeleteFile('c:\windows\system32\msvmiode.exe');
     DeleteFile('C:\Documents and Settings\RTHD\Application Data\ltzqai.exe');
     DeleteFile('C:\Documents and Settings\RTHD\Application Data\bits.exe');
     DeleteFile('C:\Documents and Settings\RTHD\Application Data\WLANSvc.exe');
     RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run','Wireless Zero ConfigurationWZCSvc (XP)');
     RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','Wireless Zero ConfigurationWZCSvc (XP)');
     RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Background Intelligent Transfer Service');
     DeleteFile('C:\RECYCLER\S-1-5-21-2810265621-3299971027-892322188-2326\syscr.exe,explorer.exe,C:\Documents and Settings\RTHD\Application Data\ltzqai.exe,Explorer.exe');
     DeleteFile('C:\RECYCLER\S-1-5-21-2810265621-3299971027-892322188-2326\syscr.exe');
     DeleteFile('C:\Documents and Settings\RTHD\Application Data\ltzqai.exe');
     DeleteFile('C:\WINDOWS\cfdrive32.exe');
     DeleteFile('C:\WINDOWS\system32\26.exe');
     DeleteFile('C:\WINDOWS\system32\msvmiode.exe');
     DeleteFile('C:\Documents and Settings\RTHD\Local Settings\Temp\105.exe');
    DeleteFileMask('%appdata%','*.exe', false);
    ExecuteWizard('TSW', 2, 2, true);
    ExecuteWizard('SCU', 3, 3, true);
    BC_ImportAll;
    ExecuteSysClean;
    BC_Activate;
    RebootWindows(true);
    end.
    After reboot:
    - Make new logs
    - Make a log file of Malwarebytes Antimalware: http://www.malwarebytes.org/mbam.php

  7. #7
    Junior Member Репутация
    Регистрация
    16.08.2010
    Сообщений
    5
    Вес репутации
    50
    C:\RECYCLER\...\syscr.exe and Application Data\ltzqai.exe is persistantly not deletes or rewrites. Tried 2 times. MBAM seems to give some more hints. Any clues?

  8. #8
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    The files are not visible in AVZ-logs, ergo they are not active anymore.
    Pls. remove all founds with MBAM. Repeat the MBAM-Log.

  9. #9
    Junior Member Репутация
    Регистрация
    16.08.2010
    Сообщений
    5
    Вес репутации
    50
    Done. System is clean and works fine all day. ltzqai.exe is not created any more. MBAM log now is totally empty and I'm not attaching it (let me know if it still has to be posted).

    Now I will go cleaning some other similar PC's using that techniques, and in case of troubles will post new thread.

    So the job is done. Thank you very much for great help!

  10. #10
    Cybernetic Helper Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    29.12.2008
    Сообщений
    48,233
    Вес репутации
    977

    Итог лечения

    Статистика проведенного лечения:
    • Получено карантинов: 6
    • Обработано файлов: 41
    • В ходе лечения обнаружены вредоносные программы:
      1. c:\\windows\\cfdrive32.exe - Net-Worm.Win32.Kolab.kis ( DrWEB: BackDoor.IRC.Bot.166, BitDefender: Trojan.Dropper.TOW, NOD32: IRC/SdBot trojan, AVAST4: Win32:Flot-Q [Wrm] )
      2. c:\\windows\\cfdrive32.exe - Trojan.Win32.Jorik.SdBot.cf ( DrWEB: Trojan.AVKill.2, BitDefender: Trojan.Generic.4847085, NOD32: IRC/SdBot trojan, AVAST4: Win32:Inject-AII [Trj] )
      3. c:\\windows\\cfdrive32.exe - Net-Worm.Win32.Kolab.maa ( DrWEB: Trojan.AVKill.2800, BitDefender: Trojan.Generic.5032117, AVAST4: Win32:Malware-gen )
      4. c:\\windows\\system32\\msvmiode.exe - Net-Worm.Win32.Kolab.kht ( DrWEB: Trojan.Spambot.9106, BitDefender: Worm.Generic.280610, NOD32: Win32/SpamTool.Tedroo.AN trojan, AVAST4: Win32:Flot-Q [Wrm] )
      5. c:\\windows\\system32\\x - Net-Worm.Win32.Kido.ih ( DrWEB: Win32.HLLW.Shadow.based, BitDefender: Win32.Worm.Downadup.Gen, AVAST4: Win32:Confi [Wrm] )


Похожие темы

  1. msvmiode и cfdrive32
    От Лера в разделе Помогите!
    Ответов: 30
    Последнее сообщение: 24.09.2010, 06:43
  2. Cfdrive32.exe и msvmiode.exe
    От ArchitectofRuin в разделе Помогите!
    Ответов: 18
    Последнее сообщение: 20.09.2010, 21:36
  3. Msvmiode.exe и cfdrive32.exe
    От ArchitectofRuin в разделе Помогите!
    Ответов: 19
    Последнее сообщение: 19.09.2010, 01:29
  4. cfdrive32, msvmiode
    От Flange в разделе Помогите!
    Ответов: 11
    Последнее сообщение: 09.09.2010, 10:40
  5. Msvmiode.exe и Cfdrive32.exe
    От Vegas13 в разделе Помогите!
    Ответов: 8
    Последнее сообщение: 09.08.2010, 00:45

Метки для этой темы

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00322 seconds with 17 queries