Corrupt MS office and media files?

[rellell]

Hello all,

I have posted here a few times and have received great advice so I'm back w/ another prob. I consistently get the notification Windows has detected that some of your MS office and media files are corrupt. Click here to download the recommended software to fix the problem.

If I click the balloon it pops up a window asking me to install FileFix 2009 Professional (can't find anything legit on it), which I have not done as of yet. Sometimes as many as 20-25 internet explorer windows will open in a short time randomly, or audio will play in the background. When this happens I open my processes and end the IEXPLORE.exe and it ends.

I've ran through the "read before requesting assistance thread" which usually handles any baddies I pick up but this one evades me.

My HJT log:

http://hjt.networktechs.com/parse.php?log=606458

Something of note is that there was a winsock 10 prob that couldnt be fixed before this scan was ran. I downloaded the suggested tool and removed it but the problem persists.

I ran the kaspersky scanner and saved the log but apparently I can't attach html files. Maybe there's another way. Thanks for the time and consideration.


Edit: An update: It seems that the internet explorer windows/background sound have stopped after all. I am still consistently getting the pop-up window though.

[jholland1964]

Could you please run HJT again, save the log and post it via a plain old copy/paste. Please don't use the analyzer it is way out of date, it hasn't been updated since probably 2006 at the latest and it's use is not recommended. If you will note it actually flags the HiJackThis as bad and should always be removed. That is because this analyzer doesn't recognize a version that has been around for well over a year, maybe longer.
Also, you have start ups disabled using msconfig. We need to see what is there so please go back and re-enable a normal start up so we can see all entries.
Judy

[rellell]

Alright, I enabled normal startup and reran the log. Here are my results.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:50 PM, on 3/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Utopia\Angel\Angel.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\TEMP\CE46ED.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\hijackthis\analyzer.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\sw g.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\fpfstb.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - c:\Program Files\Zune\ZuneNss.exe (file missing)

--
End of file - 6841 bytes

[jholland1964]

Thanks for the log. A couple of things here
First you need to turn off Spybot TeaTimer as it can interfere with attempted fixes. To do this;

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Another thing I see is Malwarebytes Anti-Malware set to run on reboot, did you do a scan with MBA-M? If so, where is the log?
Update the program, run a Full System scan, have it remove all that is found, reboot and post back here with that log.

Next I would like you to go to this website;

http://virusscan.jotti.org/

Here you can upload files from the computer for scanning by multiple antivirus programs and get a report on the possible infection in the file. It should give you a log. Please post that log back here.

This is the file I would like you to upload

C:\WINDOWS\system32\fpfstb.dll

Come back with the results of those scans.

[Grinler]

Sorry for jumping in on this thread, but myself and some AV Vendors have been looking for a sample of this ransomware.

Before deleting the file can you please submit a sample of the DLL infection to me so that we can analyze it?

The file I am looking for is:

C:\Windows\System32\fpfstb.dll

Simply go here and fill in the required fields and browse to the C:\Windows\System32\fpfstb.dll file on your desktop. Finally click on the Send File button.


Thanks in advance.

[rellell]

I apologize for the delay in my response. Below are the results of my last MBAM scan. I uploaded the requested file to each site. My trend micro is now identifying the file you requested, but cannot fix/quarantine it. There are manual removal instructions on their website but they seem long. I'll do them if necessary of course though. Thanks for the help.

Malwarebytes' Anti-Malware 1.34
Database version: 1837
Windows 5.1.2600 Service Pack 2

3/11/2009 8:41:08 PM
mbam-log-2009-03-11 (20-41-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 224180
Time elapsed: 1 hour(s), 2 minute(s), 37 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\c629rmm.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\rtlyw2vd4fls.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\ehzwqb.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{0c87a27d-85c1-47bb-b5c8-db9da2f58896} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0c87a27d-85c1-47bb-b5c8-db9da2f58896} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{0c87a27d-85c1-47bb-b5c8-db9da2f58896} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\jk9okz3t6naetprlb9hmpsgsoutgp4q (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ehzwqb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\c629rmm.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\rtlyw2vd4fls.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\z2dsfw96axd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ijs8bg3xl.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32A4C9FD-E632-479E-9950-A4B9F3B72022}\RP516\A0249780.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32A4C9FD-E632-479E-9950-A4B9F3B72022}\RP517\A0250807.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{32A4C9FD-E632-479E-9950-A4B9F3B72022}\RP517\A0250808.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

[jholland1964]

If you have been using the computer since this last MBA-M it really is pretty much a worthless post, plus it was run two days BEFORE the HJT log you posted. In order to really clean a computer the steps must be done as rapidly as possible. We have no way of knowing what else may have gotten on the computer in the past 11 days. I am not sure who you are speaking to when you say

uploaded the requested file to each site

I am not even certain WHO this Grinler person is, he certainly is not a regular poster here.
If you want to clean the computer then you will have to update MBA-M and run another Full Sytem scan and have it clean everything found. You say your Trend Micro is now identifying the file this person requested but you do not say what identification it is giving. Unless I get full information there is no way I can tell you what to attempt to remove it.

[jholland1964]

Did you reboot the system before running the HJT scan? If not, please do so now and run another HJT scan and post the log. Also, please turn off that BitTorrent program and STOP it from running automatically at start up. P2P programs open a direct line onto your computer, security measures are easily and very often consciously avoided. Malware writers often use them to spread their nasty infections onto your computer. Add to that, if your P2P program is not configured correctly you may be sharing more files than you intended. You possibly could be sharing your Passwords, Address Books and other personal, private, and financial.

[rellell]

Yes the HJT log is after reboot. I had the P2P along w/ other progs turned off at startup via the msconfig purposely before you asked me to turn them off. Should I be doing something within the program to stop it?

[jholland1964]

Just wanted to be absolutely certain it WAS turned off. This is probably one way you could have gotten this infection. It is very prevalent via P2P sharing, have personally cleaned two computers in the past week where it was very evident this was how the infection came onto the computer...one via actual download and the other via flash drive containing P2P music files.
Am going through your HJT log right now and will get back with you on it.
I would also recommend that you do a FullSystem scan with the Online ESET Scanner. Allow it to fix anything found. You must turn OFF your firewall and anti virus program and use IE to do this scan. Post log produced by the scan too if you will.