32788R22FWJFW, in my C: also system restore fake scans popping up Options

[rabbitail]

I was trying to download a song and instead must have ended up with a virus of some sort. Started off with black screen and then the popup messages then warnings and scans. All files were hidden couldn't bring up task manager. I did run combofix which unhide my files and now task manager works. I noticed an unknown file in my C: named 32788R22FWJFW how do I rid this mess?

[TechieRanger]

Hi, and welcome to our malware removal forum!

My name is Richard and I'll be happy to help you with your computer problems.

Please be advised that I am currently in training, so my responses will need to be approved by one of our experts before I post them. This is only to ensure you are receiving accurate instructions. It may cause a delay in my replies.

Please note the following:

• The cleaning process is not instant as logs can take time to research. Sit tight and please be patient.
• I will be working on your malware issues. This may or may not solve other issues you may have with your system.
• While we are fixing your problems, do NOT install/re-install any programs or run any fixes or scanners unless told to do so.
• Ensure that your anti-virus definitions are up-to-date.
• I would advise backing up all your important documents, personal data files and photos to a CD or DVD drive.
• Do not back up any Applications (programs). These should be re-installed from the original source CD(s) or website(s).
• During the course of our cleanup, please do not do any additional online work or surfing until we have verified that your system is clean.
• I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.
• Be sure to follow the directions and run tools/scans in the order listed.
• If you do not reply to your topic, it will be closed after 3 days.

I will return as soon as possible with more instructions.



Regards,

Richard

[TechieRanger]

ComboFix is a very powerful tool. It is not recommended to run ComboFix without expert supervision.

If a ComboFix log was produced, please post that.

ComboFix logs are located at c:\ComboFix.txt, while older logs are at c:\Qoobox\ComboFix2.txt, c:\Qoobox\ComboFix3.txt, etc.

Next

Download DDS by sUBs to your desktop.
Disable any script blocker/antivirus software temporarily.

• Double click DDS.scr to run it and wait for the scan to finish
• When finished DDS.txt will open
• At the next prompt, press Yes
• DDS will continue scanning
• When done, Attach.txt will open
• Save both reports to your Desktop.
• Please post the contents of the logs in your next reply.

Next

GMER Rootkit Scanner
---------------
Download GMER Rootkit Scanner from here to to your Desktop. It will be a randomly named executable.

• Double click the exe file. If asked to allow gmer.sys driver to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
• In the right panel, you will see several boxes that have been checked. uncheck the following:
  
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your Desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

In your next reply, please provide the following:

• ComboFix log.
• DDS.txt
• attach.txt
• GMER log.

Regards,

Richard

[rabbitail]

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by User at 22:10:04 on 2012-03-03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.63 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://isearch.avg.com/?cid={B5C77A59-F93B-4C12-86D6-D82DF8D44C65}&mid=a4b1663a544647d19591d15b79cf6381-6757d02be948c45dd48c31d239cb241dce73470c&lang=en&ds=ins12&pr=sa&d=2012-02-28 11:38:59&v=10.0.0.7&sap=hp
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [niEJngRwieOhYh.exe] c:\documents and settings\all users\application data\niEJngRwieOhYh.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\automa~1.lnk - c:\troopmaster software\automailer\AutoMailer.exe
uPolicies-explorer: NoDesktop = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: DhcpNameServer = 66.182.71.3 66.182.72.3
TCP: Interfaces\{74C7BEB2-9987-49DD-A53D-4D418AF6E349} : DhcpNameServer = 66.182.71.3 66.182.72.3
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2007-4-24 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2007-4-24 5248]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-2 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-2 136176]
.
=============== Created Last 30 ================
.
2012-03-01 02:16:55 -------- d-----w- C:\annicka2
2012-02-29 06:14:17 355328 ----a-w- c:\documents and settings\all users\application data\C5NkBr6W5RPgxh.exe
2012-02-29 05:28:47 448000 ----a-w- c:\documents and settings\all users\application data\niEJngRwieOhYh.exe
2012-02-28 18:38:48 -------- d--h--w- c:\program files\AVG Secure Search
2012-02-28 18:38:42 -------- d-----w- c:\documents and settings\all users\application data\Common Files
2012-02-28 18:35:47 -------- d--h--w- c:\program files\Moozy
.
==================== Find3M ====================
.
2012-01-29 12:10:42 237072 ---h--w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 22:10:51.71 ===============

[rabbitail]

Dude this is dude, I ran a search for the combo fix log, can't find it on my computer. I posted the DDS 1st report and attached the second. Thanks.

Attached File(s)

 attach.txt ( 12.95K ) Number of downloads: 23

 

[rabbitail]

Heres the Gmer, again I did a file search for the combofix and nothing, I know it did something because it unhid my files, however I don't think I downloaded the program to my computer, I don't know if that matters or not.

Attached File(s)

 Gmer.txt ( 6.93K ) Number of downloads: 23

 

[TechieRanger]

Thanks for the GMER log.

Please download DeFogger to your Desktop.

• Double-click DeFogger to run the tool.
• The application window will appear.
• Click the Disable button to disable your CD Emulation drivers.
• Click Yes to continue.
• A 'Finished!' message will appear.
• Click OK.
• DeFogger will now ask to reboot the machine - click OK.

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.



Regards,

Richard

[TechieRanger]

Please delete your copy of ComboFix.exe and then download a fresh copy of ComboFix:

COMBOFIX
---------------

Please download ComboFix from one of the following locations:

• Location #1
• Location #2
  ***IMPORTANT!!! Save the file as Sheriff.exe to your Desktop. It is important you rename ComboFix during the download, but not after. In the event that you already have ComboFix, this is a new version that I need you to download.
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Sheriff.exe and follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a Congratulations!!! message.

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Sheriff.txt in your next reply.

WARNING: ComboFix will disconnect your machine from the Internet as soon as it starts.

• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no internet connection after running ComboFix, then restart your computer to restore back your connection.

In your next reply, please provide the following:

• ComboFix log.

Regards,

Richard

[TechieRanger]

It has been two days or more since my last post. Do you still need help or more time?



Regards,

Richard

[rabbitail]

Sorry for the delay, busy work week. I had to hire a new employee due to retirement of another.

Attached File(s)

 sheriff.txt ( 5.77K ) Number of downloads: 18

 

[TechieRanger]

Please do not update the computer at this time, but could you let me know why it has not been updated to Service Pack 3?

I recommend keeping internet use to a minimum while we work together to reduce the risk of further infection which can worsen the state of the computer.

Next

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click the SystemLook and copy/paste the following into the box:
  
  CODE
  :dir
  C:\annicka2
  :regfind
  ambuhelper1
  :filefind
  niEJngRwieOhYh.exe
  *Moozy*
  :folderfind
  *Moozy*
• Click the Look button. Let it finish the scan.
• When finished, a notepad window will open with the results of the scan. Post the content of the log here in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

In your next reply, please provide the following:

• SystemLook log.
• Update on how your PC is running.

Regards,

Richard

[rabbitail]

PC is running, all the programs came back a little slow on the net. Am I suppose to have the service pack 3? I try really hard not to download anything when updates say they need updated, seems I get too much junk with it. Let me know if I need to get the service pack. Thanks

Attached File(s)

 SystemLook.txt ( 2.21K ) Number of downloads: 48

 

[TechieRanger]

Thanks for the information

Please do not update the computer at this time. I will tell you when it is safe to update.

It is very important that you install all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and IE up to date will help make you less susceptible to future malware infections.

Before we start: The following steps involve modifying the registry. Modifying the registry can be dangerous (and can render your system unbootable) so it's advisable that you make a backup of the registry before proceeding.

First, please backup your Registry with ERUNT.

• Please go here to download ERUNT.
• For version with the Installer: Use the setup program to install ERUNT on your computer.
• For the zipped version: Unzip all the files into a folder of your choice.

Run Erunt.exe to backup your registry to the folder of your choice.

Note: To restore your registry, go to the folder and start ERDNT.exe

Next

Please download OTM by OldTimer.

• Save it to your desktop.
• Please click OTM and then click >> run.
• Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

CODE

:Processes
explorer.exe

:Reg
[-HKEY_CURRENT_USER\Software\ambuhelper1]
[-HKEY_USERS\S-1-5-21-1606980848-1708537768-725345543-1003\Software\ambuhelper1]

:Files
c:\program files\Moozy

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM

Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Next

Please post a fresh DDS log so I can review it.

In your next reply, please provide the following:

• OTM log.
• DDS log.

Regards,

Richard

[TechieRanger]

It has been two days or more since my last post. Do you still need help or more time?



Regards,

Richard