Looking for information about suspicious files/suspected malware

[ATGUNWAT]

I am looking for information about the following files:

C:\Users\Owner\AppData\Local\temp\RarSFX0\h\explorer.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\h\iexplore.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\nird\iexplore.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\procs\explorer.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\procs\iexplore.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\procs\proc.dat
C:\Users\Owner\AppData\Local\temp\RarSFX0\curo.reg
C:\Users\Owner\AppData\Local\temp\RarSFX0\extra.dat
C:\Users\Owner\AppData\Local\temp\RarSFX0\lmro.reg
C:\Users\Owner\AppData\Local\temp\RarSFX0\lmroe.reg
C:\Users\Owner\AppData\Local\temp\RarSFX0\nircmd.chm
C:\Users\Owner\AppData\Local\temp\RarSFX0\nircmd.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\nircmdc.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\pev.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\prep.bat
C:\Users\Owner\AppData\Local\temp\RarSFX0\rkill.bat
C:\Users\Owner\AppData\Local\temp\RarSFX0\rkill.reg
C:\Users\Owner\AppData\Local\temp\RarSFX0\s.inf
C:\Users\Owner\AppData\Local\temp\RarSFX0\sed.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\serv.dat
C:\Users\Owner\AppData\Local\temp\RarSFX0\sh.vbs
C:\Users\Owner\AppData\Local\temp\RarSFX0\swreg.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\userinit.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\winlogon.exe
C:\Users\Owner\AppData\Local\temp\RarSFX0\wl.txt

and an empty folder located at:
C:\Windows\Xsxs\Xenocode\Sandbox
I am familiar with this folder, from several of my customers computers, but...
I do not know how it ended up on my machine, and I am NOT happy about it's presence.

I am also familiar with the majority of these files, but I also know that they should NOT be running from a temp folder.
There may be a legitimate reason they are there, but I can't think of one.
I suppose it is possible that they could be related to one of the many specialized malware removal tools I have used, but I suspect they are NOT and I am proceeding on that assumption unless someone knowledgeable tells me otherwise.
(exceptions would be the rkill and combofix related files, I do know that they run from temp folders)

I also have "runonce" entry for the group policy editor and 3 scheduled tasks I am not sure about.
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT

Any insight anyone could offer on the above mentioned files would would be greatly appreciated.

I am afraid I might really have the 111 hidden rootkit processes that Spy DLL Remover keeps warning me about, but I am hoping these are false positives, because I am not looking forward to wiping 3.5TBs of data from 8 HDDs to deal with what could potentially be a TDL4 infestation.

For the sake of full disclosure, I do keep several live samples of TDL4 (some with certain traits from the Stuxnet worm) as well as a whole menagerie of other malware that I use for research and learning purposes.
I keep these triple zipped and in a sandboxed folder on an external hard drive.
(which I thought was secure, but now I am starting to have some doubts about that assumption)

I am also curious if anyone here is familiar with a ".#" file extension?

Thanks in advance for your time,
ATGUNWAT
aka: Ron

(so, who is up for a little excitement tonight?)

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*******************************************************
If you want help cleaning this computer I will need to run some scans and take a look at the logs.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
************************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

[ATGUNWAT]

Hello,

Thanks for getting back to me on this issue

I'm not sure of the forum guidelines around here or how you feel about posting on multiple forums, but I am registered on bleepingcomputer[dot]com  too. (using the same user name as here)

They were swamped and I knew it would probably be a few days before I heard something back from them.
In the mean time, I was checking out your log analyzer when I read something about getting a response in a little as a few minutes.

I wasn't sure what the workload was like here so I decided to give it a shot.

I left a post there earlier, so you may want to check out the details there to bring yourself up to speed on the entire ordeal, before trying to develop a game plan.

Link: http://www.bleepingcomputer.com/forums/topic405939.html

It is a rather lengthy post, and I understand you guys are busy here too, but when you get a chance, please look it over and see if it is something you still want to tackle.

Right now, I will take good advice from whoever has any insight on how to proceed (even though the helpers at bleepingcomputer don't like that) especially if the adviser has previous experience with this specific issue.
(although I have never heard of anything even remotely like what I have going on right now)

I think those files I listed may have been created by rkill, but I am far from certain about that.

I'm sure you are familiar with rkill. Could you definitively confirm whether or not that is the case?
(They also might have been created by a rootkit trying to sandbox my attempts to detect and remove it.)

I have no way to tell for sure, because I didn't familiarize myself with the inner workings of rkill before I found myself in this situation, and now I have no faith in any of the results that originate from this machine.

It sure would be nice to know with some certainty about those legitimate looking  (at least in name) files running from a temp location, (especially when one of the sub folders is sporting a name like "nird") and whether they are in fact created by rkill?

I know those are certainly not the legitimate "winlogon.exe, userinit.exe, iexplore.exe, and explorer.exe" and just may be someones attempt at humor.

(a sort of joke, or should I say "шутка," on me)

Any insight you could offer would be greatly appreciated.

If it is OK with you, could I use the portable equivalent "SAS_random-number.com" to generate the log?

I have lots of files and try to use as many portables as possible to minimize the impact on my bloated registry.

Also, due to the sheer number of files I have, (over 3.5TB) it might 2 days to complete a full scan.

Just in case you don't get a chance to read my post on the other forum (BC) I am running in safe mode and have a really ugly new "unknown" device listed in my device manager.  (I have no idea what make of it)
It has all my network controllers, hard drive controllers, composite bus drivers, even my antivirus drivers, (Just about everything) listed as "siblings" on the details tab of it's properties dialog box.

Siblings

Root\*ISATAP\0000
Root\*TEREDO\0000
Root\ACPI_HAL\0000
Root\blbdrive\0000
Root\CNTX_VPCNETS2_MP\0000
Root\CNTX_VPCNETS2_MP\0001
Root\CNTX_VPCNETS2_MP\0002
Root\COMPOSITEBUS\0000
Root\ISCSIPRT\0000
Root\LEGACY_AEGISP\0000
Root\LEGACY_AFD\0000
Root\LEGACY_APPID\0000
Root\LEGACY_BEEP\0000
Root\LEGACY_CATCHME\0000
Root\LEGACY_CLFS\0000
Root\LEGACY_CNG\0000
Root\LEGACY_CSC\0000
Root\LEGACY_DISCACHE\0000
Root\LEGACY_DXGKRNL\0000
Root\LEGACY_EAPPKT\0000
Root\LEGACY_FRESHIO\0000
Root\LEGACY_FVEVOL\0000
Root\LEGACY_HITMANPRO35\0000
Root\LEGACY_HTTP\0000
Root\LEGACY_HWPOLICY\0000
Root\LEGACY_KSECDD\0000
Root\LEGACY_KSECPKG\0000
Root\LEGACY_LLTDIO\0000
Root\LEGACY_MOUNTMGR\0000
Root\LEGACY_MPSDRV\0000
Root\LEGACY_MSISADRV\0000
Root\LEGACY_NATIVEWIFIP\0000
Root\LEGACY_NDIS\0000
Root\LEGACY_NDISUIO\0000
Root\LEGACY_NDPROXY\0000
Root\LEGACY_NETBT\0000
Root\LEGACY_NNSALPC\0000
Root\LEGACY_NNSHTTP\0000
Root\LEGACY_NNSIDS\0000
Root\LEGACY_NNSPICC\0000
Root\LEGACY_NNSPIHS\0000
Root\LEGACY_NNSPOP3\0000
Root\LEGACY_NNSPROT\0000
Root\LEGACY_NNSPRV\0000
Root\LEGACY_NNSSTRM\0000
Root\LEGACY_NNSTLSC\0000
Root\LEGACY_NORMANDY\0000
Root\LEGACY_NSIPROXY\0000
Root\LEGACY_NULL\0000
Root\LEGACY_PBFILTER\0000
Root\LEGACY_PCW\0000
Root\LEGACY_PEAUTH\0000
Root\LEGACY_PSCHED\0000
Root\LEGACY_PSINAFLT\0000
Root\LEGACY_PSINKNC\0000
Root\LEGACY_PSINPROT\0000
Root\LEGACY_PSKMAD\0000
Root\LEGACY_PWDRVIO\0000
Root\LEGACY_PWDSPIO\0000
Root\LEGACY_QWAVEDRV\0000
Root\LEGACY_RASACD\0000
Root\LEGACY_RDPCDD\0000
Root\LEGACY_RDPDR\0000
Root\LEGACY_RDPENCDD\0000
Root\LEGACY_RDPREFMP\0000
Root\LEGACY_RSPNDR\0000
Root\LEGACY_SBIEDRV\0000
Root\LEGACY_SDTHELPER\0000
Root\LEGACY_SECDRV\0000
Root\LEGACY_STORFLT\0000
Root\LEGACY_TCPIP\0000
Root\LEGACY_TCPIPREG\0000
Root\LEGACY_TDX\0000
Root\LEGACY_VGASAVE\0000
Root\LEGACY_VOLMGRX\0000
Root\LEGACY_VOLSNAP\0000
Root\LEGACY_VSMRAID\0000
Root\LEGACY_VWIFIFLT\0000
Root\LEGACY_WANARPV6\0000
Root\LEGACY_WDF01000\0000
Root\LEGACY_WFPLWF\0000
Root\LEGACY_WUDFPF\0000
Root\mssmbios\0000
Root\MS_L2TPMINIPORT\0000
Root\MS_NDISWANBH\0000
Root\MS_NDISWANIP\0000
Root\MS_NDISWANIPV6\0000
Root\MS_PPPOEMINIPORT\0000
Root\MS_PPTPMINIPORT\0000
Root\MS_SSTPMINIPORT\0000
Root\NNSNAHSMP\0000
Root\NNSNAHSMP\0001
Root\NNSNAHSMP\0002
Root\NNSNAHSMP\0003
Root\NNSNAHSMP\0004
Root\NNSNAHSMP\0005
Root\NNSNAHSMP\0006
Root\NNSNAHSMP\0007
Root\NNSNAHSMP\0008
Root\NNSNAHSMP\0009
Root\NNSNAHSMP\0010
Root\RDPBUS\0000
Root\RDP_KBD\0000
Root\RDP_MOU\0000
Root\SYSTEM\0000
Root\UMBUS\0000
Root\vdrvroot\0000
Root\volmgr\0000

I have disabled "unknown", but then it might have just gone through the motions, for my benefit.

I know that this all makes me sound like a crackpot, but all I can do is post any evidence I have found, and hope for some good advice from someone with some direct experience in firmware rootkits or PLC infections. (or better yet disinfection) This thing even seems to be active when I boot to a PE disk. (linux, xp, and win7PE)

I have a 1.99GB memory dump I can't get to open in any text editor. (and I am quite frustrated)

I'm just not sure how to proceed from here...

Thanks again,

ATGUNWAT

Acronym for: All The Good User Names Were Already Taken

[trojan.agent]

Please do not hijack someone else's thread. It is rude. If you need help, start your own thread.

[trojan.agent]

Edited.

[SuperDave]

Right now, I will take good advice from whoever has any insight on how to proceed (even though the helpers at bleepingcomputer don't like that) especially if the adviser has previous experience with this specific issue.
(although I have never heard of anything even remotely like what I have going on right now)

You will have to decide on which forum you're going to get help from. If you decide to receive help from this forum, please run the scans and post the logs. Also, inform BleepingComputer that you are no longer interested in their help.

[ATGUNWAT]

Yes, I know
Sorry about that.

I have been a member of BC for the past 6 months, and this is my first time posting here.
I was desperate for a quick reply because I have been missing work because of  this whole fiasco.

Please don't take this personally, you guys here, as well as many other forums, do a great service for their users.

This whole thing is quite an embarrassment for me, and I see at least one user has already made a rush to judgement that resulted in drastic action based on little or no input from a qualified tech/helper.

It was not my intent to cause anyone to take any actions, and so far, I have taken none myself.

You can remove the thread if you like.

Sorry to have bothered you with my problems, and a disruptions it has caused.
(I have most likely caused them myself, and will eventually solve them the same way)

Thanks for your valuable time.

ATGUNWAT

PS. Would it still be OK to use your log analyzer from time to time?
Although it is still only a beta, it seems to have great potential.

[SuperDave]

Sorry to have bothered you with my problems, and a disruptions it has caused.
(I have most likely caused them myself, and will eventually solve them the same way)

You have not bothered me and has caused no disruptions.

This whole thing is quite an embarassment for me, and I see at least one user has already made a rush to judgement that resulted in drastic action based on little or no input from a qualified tech/helper.

If you're talking about the hijack by trojan.agent, it's just a standard warning to not jump into someone else's thread.

I was desperate for a quick reply because I have been missing work because of  this whole fiasco.

I gave you quick reply. You started your thread here at June 23, 2011, 02:48:34 AM. I responded at June 23, 2011, 07:25:18 PM. You started your other thread at BC at June 24/11 07:02 PM. BTW, you were hijacked by trojan.agent on that site also. You still haven't received a reply from BC yet. If you had started the scans I described, we would be almost almost finished with the cleaning by now. 

You can remove the thread if you like.

I will lock this thread in 24 hours, if that is your wish.

[ATGUNWAT]

The thing that embarrasses me most is, getting an infection that I can't get rid of.
(especially when it is obviously self inflicted)

I will post back if I discover anything useful about my new nemesis.

Thanks again,

ATGUNWAT

[SuperDave]

The thing that embarrasses me most is, getting an infection that I can't get rid of.
(especially when it is obviously self inflicted)

I will post back if I discover anything useful about my new nemesis.

Thanks again,

ATGUNWAT

Unless you run the scans and post the logs, I can't help you.

[ATGUNWAT]

Super Dave,

You have been very patient with me, and I appreciate that more than you know.

I would like to keep this thread open a bit longer, but if I post a log here, BC may not want to help me there.

Don't take that the wrong way, their help is certainly NOT better than the help I would receive here (obviously, since I have gotten ABSOLUTELY NO RESPONSE from those I have tried to remain loyal to) it is just that my goal is to get a sample to sUBs for study. (who seems to only have ties to BC)
That would ultimately benefit way more people than just myself.
Please try to understand my intentions, and the reasoning behind them.

Thanks once again,

ATGUNWAT

(my loyalties must have been misplaced, and that WILL be resolved, once my malware issue is)

[SuperDave]

I followed your thread on BC and I must say that you're going about cleaning the computer the wrong way and you will probably do more damage than good. One has to go through a certain procedure to clean a computer and it took me over four years to learn that and I'm still learning. You can't just google something and try it. That won't work and may make matters worse. If you had started the scans when I replied to you, we would be just about finished by now. However, it's your computer and you can do whatever you wish with it.

[ATGUNWAT]

I'm sure it appears that I am clueless to proper removal procedure.
This is the first time I have ever tried this approach, and I have never heard of anyone else using such a method, and I got none of the steps I have attempted from google. This is also the first time I have ever even heard of anyone trying to remove malware through the device manager. The problem is, the only place I see any changes from my normal config is in the device manager. (believe me, if someone had told me to try this, I would think they were crazy, inept, or just plain stupid, but it gets results when all the standard methods I tried, did not)

I started to go through the device manager attempting to rule out driver updates to any of my installed hardware as a possible source of false positives, when I noticed that the number of "hidden rootkit" processes detected by SpyDllRemover was actually going down rather than increasing as it had been doing before. (up to 114 at one point)

The number of "hidden rootkit processes" is constantly fluctuating. See the screen shots in my BC thread. (As of right now, 2:47pm, I have 4 detected) Whatever it is doesn't seem to load early in the start up process, like you would expect malware to do, but seems to have a delayed start up. (I only have 4 services set to delayed start up, and I know all 4 of them, and they are legit) Each hidden and previously removed or non-plug and play driver I had, listed that odd list of siblings, and none of the currently installed and known to be legit entries did. Even my antivirus (panda) and hitman pro are listed there. (as if the device manager thinks they are related to hardware devices)

I know SpyDllRemover is not one of the tools you use or recommend here, but I have used it many times on this machine, with this exact same hardware configuration, and NEVER gotten any positive results. (false or otherwise)
Now all of the sudden, with same hardware and software configuration as I have always had, and using the same and unaltered tools that I have always used, I am getting these different and disturbing results.

SpyDllRemover does not use definitions\signatures and has received no updates of any kind. I have added no new hardware to my configuration. Actually, since I first started getting the results from SpyDllRemover, I have removed ALL non-essential hardware, (4 external hard drives, webcam, printer, flash drive) All I currently have connected is my keyboard, mouse and monitor. Something has changed to cause the detections. I stopped updating that thread on BC because it made it appear I was being helped, but yesterday the detections grew to 11 and dropped back to 1 (several times) and at a few points even dropped to zero, but inevitably always returns to some non-zero value.

Maybe that's normal, but I doubt it. It is certainly not normal for this (my) machine.

Radix and VBA32 antirootkit (which I know are other unapproved tools) also seems to agree with SpyDllRemover. (so it is not just a single product detection) GMER (which is approved, but user mode only) detects nothing.
I am NOT trying to be argumentative, and please don't take it that way. I am just trying to relay to you why I have been taking such a unorthodox approach. It is just something I wanted to try because the standard approach was getting me nowhere. (as of right now 3:10pm my detections have increased by 3 for a total of 7) That trend will continue until I reboot. I figure something must be using dll injections of another similar technique to patch the files in memory, as none of the files on the hard drive seem to be affected. That is also why I suspect a possible PLC rootkit.

I am at a loss for another explaination.

ATGUNWAT

I have detected some ADS connected to some firefox bookmarks to youtube videos, but no other files are detected.

[ATGUNWAT]

My typical removal procedure is:

1) Look in the task manager for any unknown processes, and kill any found.
2) Remove any unnecessary start up entries with autoruns, (portable) then reboot the PC
3) Clean all temp files for all user accounts and the prefetch folder. (with CCleaner , Killbox, and ATF - all portables)
4) Install and run mbam, (quick scan) and remove any infections found.
5) Run Hitman Pro, and remove any infections found. (one time scan, not full installation)
6) Run NoraScan, and remove any infections found. (portable)
7) Run SpyDllRemover. Because it is extremely fast and checks for hidden processes in memory. (portable)

I do these first because they are fast and finish quickly.

8 ) Then I run a full scan with Super Antispyware, (portable) removing any infections found when complete.
9) While SAS runs I go through all 3 of the folders under the hidden appdata in 7 and vista or hidden application data and local settings\application data folders in XP looking for and deleting any temp files left behind, as well as suspicious random file names - files.
10) Generate logs with hijack hunter, OTL, and dds, and look through these logs while I wait for SAS to finish.
11) Run a rootkit scan with Norton Power Eraser. (portable)
12) Run GMER and TDSSkiller (portables)
13) Run a combofix scan if there is still any anomalous behavior on the pc.
14) Try out any new tools I have to test. (like radix, spbat, avz, PErvert, vba32-ark, PSscanner, DWshark, NVT-MR, ect...)

This procedure may vary slightly in the order in which I run these tools and the tools used, depending on the OS and architecture. (x86 vs x64)

I tried ALL THAT first, and that's how I found the hidden rootkit processes with SpyDllRemover.

I NEVER use the methods I am currently trying on my machine, on a clients machine.
I would just back-up and reinstall windows if the above methods didn't produce the desired results.

I would however love to learn to write custom cleaning scripts for combofix and old timer's tools, (and I have experimented with this on my virtual PC's, but I lack the confidence to do that on a clients system.

I would also never confuse confidence with competence.

I am a big fan of the scientific method, and use logical and methodical approach to most things that I do.
(one of my favorite past times is studying physics, and I especially like sub atomic particle physics)
Just to give you some insight into me, as a person and my personality.
That may make me weird, or unusual, but I am NOT a crackpot.

ATGUNWAT

and yes, I know you never said I was a crackpot, I just thought I would throw that in because you probably at least considered that as a possibility.