Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

32788R22FWJFW


  • This topic is locked This topic is locked
13 replies to this topic

#1 rabbitail

rabbitail

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 27 February 2012 - 09:31 PM

I was trying to download a song and instead must have ended up with a virus of some sort. Started off with black screen and then the popup messages then warnings and scans. All files were hidden couldn't bring up task manager. I did run combofix which unhide my files and now task manager works. I noticed an unknown file in my C: named 32788R22FWJFW how do I rid this mess?

    Advertisements

Register to Remove


#2 TechieRanger

TechieRanger

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,017 posts

Posted 28 February 2012 - 05:48 PM

Hi, and welcome to our malware removal forum!

My name is Richard and I'll be happy to help you with your computer problems.

Please be advised that I am currently in training, so my responses will need to be approved by one of our experts before I post them. This is only to ensure you are receiving accurate instructions. It may cause a delay in my replies.

Please note the following:
  • The cleaning process is not instant as logs can take time to research. Sit tight and please be patient.
  • I will be working on your malware issues. This may or may not solve other issues you may have with your system.
  • While we are fixing your problems, do NOT install/re-install any programs or run any fixes or scanners unless told to do so.
  • Ensure that your anti-virus definitions are up-to-date.
  • I would advise backing up all your important documents, personal data files and photos to a CD or DVD drive.
  • Do not back up any Applications (programs). These should be re-installed from the original source CD(s) or website(s).
  • During the course of our cleanup, please do not do any additional online work or surfing until we have verified that your system is clean.
  • I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.
  • Be sure to follow the directions and run tools/scans in the order listed.
  • If you do not reply to your topic, it will be closed after 3 days.
I will return as soon as possible with more instructions.



Regards,

Richard :wavey:
Posted Image
Richard
Proud Graduate of WTT Classroom

#3 TechieRanger

TechieRanger

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,017 posts

Posted 01 March 2012 - 07:21 AM

ComboFix is a very powerful tool. It is not recommended to run ComboFix without expert supervision.

If a ComboFix log was produced, please post that.

ComboFix logs are located at c:\ComboFix.txt, while older logs are at c:\Qoobox\ComboFix2.txt, c:\Qoobox\ComboFix3.txt, etc.

Next

Download DDS by sUBs to your desktop.
Disable any script blocker/antivirus software temporarily.
  • Double click DDS.scr to run it and wait for the scan to finish
  • When finished DDS.txt will open
  • At the next prompt, press Yes
  • DDS will continue scanning
  • When done, Attach.txt will open
  • Save both reports to your Desktop.
  • Please post the contents of the logs in your next reply.
Next

GMER Rootkit Scanner
---------------
Download GMER Rootkit Scanner from here to to your Desktop. It will be a randomly named executable.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. uncheck the following:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your Desktop, and attach it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


In your next reply, please provide the following:
  • ComboFix log.
  • DDS.txt
  • attach.txt
  • GMER log.



Regards,

Richard :wavey:
Posted Image
Richard
Proud Graduate of WTT Classroom

#4 rabbitail

rabbitail

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 01 March 2012 - 11:17 PM

DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 7.0.5730.11 Run by User at 22:10:04 on 2012-03-03 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.63 [GMT -7:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe svchost.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://isearch.avg.com/?cid={B5C77A59-F93B-4C12-86D6-D82DF8D44C65}&mid=a4b1663a544647d19591d15b79cf6381-6757d02be948c45dd48c31d239cb241dce73470c&lang=en&ds=ins12&pr=sa&d=2012-02-28 11:38:59&v=10.0.0.7&sap=hp uURLSearchHooks: H - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll {e7df6bff-55a5-4eb7-a673-4ed3e9456d39} uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe" mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [niEJngRwieOhYh.exe] c:\documents and settings\all users\application data\niEJngRwieOhYh.exe StartupFolder: c:\docume~1\user\startm~1\programs\startup\automa~1.lnk - c:\troopmaster software\automailer\AutoMailer.exe uPolicies-explorer: NoDesktop = 1 (0x1) mPolicies-system: DisableTaskMgr = 1 (0x1) IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe TCP: DhcpNameServer = 66.182.71.3 66.182.72.3 TCP: Interfaces\{74C7BEB2-9987-49DD-A53D-4D418AF6E349} : DhcpNameServer = 66.182.71.3 66.182.72.3 SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ============= SERVICES / DRIVERS =============== . R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2007-4-24 155136] R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2007-4-24 5248] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-2 136176] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-2 136176] . =============== Created Last 30 ================ . 2012-03-01 02:16:55 -------- d-----w- C:\annicka2 2012-02-29 06:14:17 355328 ----a-w- c:\documents and settings\all users\application data\C5NkBr6W5RPgxh.exe 2012-02-29 05:28:47 448000 ----a-w- c:\documents and settings\all users\application data\niEJngRwieOhYh.exe 2012-02-28 18:38:48 -------- d--h--w- c:\program files\AVG Secure Search 2012-02-28 18:38:42 -------- d-----w- c:\documents and settings\all users\application data\Common Files 2012-02-28 18:35:47 -------- d--h--w- c:\program files\Moozy . ==================== Find3M ==================== . 2012-01-29 12:10:42 237072 ---h--w- c:\windows\system32\MpSigStub.exe . ============= FINISH: 22:10:51.71 ===============

#5 rabbitail

rabbitail

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 01 March 2012 - 11:34 PM

Dude this is dude, I ran a search for the combo fix log, can't find it on my computer. I posted the DDS 1st report and attached the second. Thanks.

Attached Files



#6 rabbitail

rabbitail

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 02 March 2012 - 10:49 AM

Heres the Gmer, again I did a file search for the combofix and nothing, I know it did something because it unhid my files, however I don't think I downloaded the program to my computer, I don't know if that matters or not.

Attached Files

  • Attached File  Gmer.txt   6.93KB   202 downloads


#7 TechieRanger

TechieRanger

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,017 posts

Posted 02 March 2012 - 12:00 PM

Thanks for the GMER log. :)

Please download DeFogger to your Desktop.
  • Double-click DeFogger to run the tool.
  • The application window will appear.
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue.
  • A 'Finished!' message will appear.
  • Click OK.
  • DeFogger will now ask to reboot the machine - click OK.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.



Regards,

Richard :wavey:
Posted Image
Richard
Proud Graduate of WTT Classroom

#8 TechieRanger

TechieRanger

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,017 posts

Posted 02 March 2012 - 06:06 PM

Please delete your copy of ComboFix.exe and then download a fresh copy of ComboFix:

COMBOFIX
---------------

Please download ComboFix from one of the following locations:
  • Location #1
  • Location #2
    ***IMPORTANT!!! Save the file as Sheriff.exe to your Desktop. It is important you rename ComboFix during the download, but not after. In the event that you already have ComboFix, this is a new version that I need you to download.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Sheriff.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a Congratulations!!! message.

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Sheriff.txt in your next reply.

WARNING: ComboFix will disconnect your machine from the Internet as soon as it starts.
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no internet connection after running ComboFix, then restart your computer to restore back your connection.
In your next reply, please provide the following:
  • ComboFix log.



Regards,

Richard :wavey:
Posted Image
Richard
Proud Graduate of WTT Classroom

#9 TechieRanger

TechieRanger

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,017 posts

Posted 07 March 2012 - 08:05 AM

It has been two days or more since my last post. Do you still need help or more time? :) Regards, Richard :wavey:
Posted Image
Richard
Proud Graduate of WTT Classroom

#10 rabbitail

rabbitail

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 07 March 2012 - 11:50 PM

Sorry for the delay, busy work week. I had to hire a new employee due to retirement of another.

Attached Files



#11 TechieRanger

TechieRanger

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,017 posts

Posted 09 March 2012 - 08:17 AM

Please do not update the computer at this time, but could you let me know why it has not been updated to Service Pack 3?

I recommend keeping internet use to a minimum while we work together to reduce the risk of further infection which can worsen the state of the computer. :thumbup:

Next

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box:
    :dir
    C:\annicka2
    :regfind
    ambuhelper1
    :filefind
    niEJngRwieOhYh.exe
    *Moozy*
    :folderfind
    *Moozy*
  • Click the Look button. Let it finish the scan.
  • When finished, a notepad window will open with the results of the scan. Post the content of the log here in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

In your next reply, please provide the following:
  • SystemLook log.
  • Update on how your PC is running.



Regards,

Richard :wavey:
Posted Image
Richard
Proud Graduate of WTT Classroom

#12 rabbitail

rabbitail

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 09 March 2012 - 08:59 PM

PC is running, all the programs came back a little slow on the net. Am I suppose to have the service pack 3? I try really hard not to download anything when updates say they need updated, seems I get too much junk with it. Let me know if I need to get the service pack. Thanks

Attached Files



#13 TechieRanger

TechieRanger

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,017 posts

Posted 10 March 2012 - 09:35 AM

Thanks for the information :thumbup:

Please do not update the computer at this time. I will tell you when it is safe to update. :)

It is very important that you install all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and IE up to date will help make you less susceptible to future malware infections.

Before we start: The following steps involve modifying the registry. Modifying the registry can be dangerous (and can render your system unbootable) so it's advisable that you make a backup of the registry before proceeding.

First, please backup your Registry with ERUNT.
  • Please go here to download ERUNT.
  • For version with the Installer: Use the setup program to install ERUNT on your computer.
  • For the zipped version: Unzip all the files into a folder of your choice.
Run Erunt.exe to backup your registry to the folder of your choice.

Note: To restore your registry, go to the folder and start ERDNT.exe

Next

Please download OTM by OldTimer.
  • Save it to your desktop.
  • Please click OTM and then click >> run.
  • Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Reg
[-HKEY_CURRENT_USER\Software\ambuhelper1]
[-HKEY_USERS\S-1-5-21-1606980848-1708537768-725345543-1003\Software\ambuhelper1]

:Files
c:\program files\Moozy

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Next

Please post a fresh DDS log so I can review it.

In your next reply, please provide the following:
  • OTM log.
  • DDS log.



Regards,

Richard :wavey:
Posted Image
Richard
Proud Graduate of WTT Classroom

#14 TechieRanger

TechieRanger

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,017 posts

Posted 16 March 2012 - 08:59 AM

It has been two days or more since my last post. Do you still need help or more time? :) Regards, Richard :wavey:
Posted Image
Richard
Proud Graduate of WTT Classroom

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users