Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93117 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

trj/ci.a generic malware

Started by mikeleafe , Jul 04 2011 12:23 PM

  • This topic is locked This topic is locked
25 replies to this topic

#16 mikeleafe

mikeleafe

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 06 July 2011 - 04:17 PM

ok thanks

    Advertisements

Register to Remove

#17 mowman

mowman

    SuperMember

  • Malware Team
  • 2,669 posts

Posted 06 July 2011 - 05:37 PM

Please scan the following files


  • Please visit Virus Total by clicking here.
  • Click the Browse button and search for the following file: C:\Windows\System32\config\systemprofile\mwfmfysqygfgoseh.exe
  • Click Open.
  • Then click Send File.
  • Please be patient while the file is scanned.
  • If Virus Total tells you that the file has already been scanned, click "reanalyse now".

  • Once the scan results appear, copy and paste them into Notepad and repeat the procedure for the following file(s):

  • C:\Windows\System32\config\systemprofile\4BCE.tmp
  • Please provide the results from the scans in your next reply.









This scan can take a very long time.

Please download DRWebCureit . Save it to your desktop:

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, select Complete scan.
Click the green arrow at the right, and the scan will start.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your desktop. The report will be called DrWeb.csv
Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
Please post the Dr.Web.txt report in your next reply
Close Dr.Web Cureit.
Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.


NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

#18 mikeleafe

mikeleafe

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 07 July 2011 - 01:39 AM

heres the first 1 AhnLab-V3 2011.07.07.01 2011.07.07 Trojan/Win32.Lebag AntiVir 7.11.10.245 2011.07.07 TR/Kazy.28359.1 Antiy-AVL 2.0.3.7 2011.07.07 Trojan/Win32.Lebag.gen Avast 4.8.1351.0 2011.07.06 Win32:Dropper-HAX Avast5 5.0.677.0 2011.07.06 Win32:Dropper-HAX AVG 10.0.0.1190 2011.07.06 SHeur3.CFYE BitDefender 7.2 2011.07.07 Gen:Variant.Kazy.28359 CAT-QuickHeal 11.00 2011.07.07 Trojan.Lebag.dgc ClamAV 0.97.0.0 2011.07.07 - Commtouch 5.3.2.6 2011.07.07 - Comodo 9303 2011.07.07 - DrWeb 5.0.2.03300 2011.07.07 Win32.HLLM.Reset.129 Emsisoft 5.1.0.8 2011.07.07 Trojan.Win32.Lebag!IK eSafe 7.0.17.0 2011.07.06 Win32.Suspect.Ba eTrust-Vet 36.1.8429 2011.07.06 - F-Prot 4.6.2.117 2011.07.06 - F-Secure 9.0.16440.0 2011.07.07 Gen:Variant.Kazy.28359 Fortinet 4.2.257.0 2011.07.07 W32/Lebag.DGC!tr GData 22 2011.07.07 Gen:Variant.Kazy.28359 Ikarus T3.1.1.104.0 2011.07.07 Trojan.Win32.Lebag Jiangmin 13.0.900 2011.07.06 Trojan/Lebag.tu K7AntiVirus 9.107.4878 2011.07.06 Trojan Kaspersky 9.0.0.837 2011.07.07 Trojan.Win32.Lebag.dgc McAfee 5.400.0.1158 2011.07.07 Suspect-BA!FE90ED7D6144 McAfee-GW-Edition 2010.1D 2011.07.07 Heuristic.LooksLike.Win32.Suspicious.C Microsoft 1.7000 2011.07.07 Trojan:Win32/Ramnit.A NOD32 6271 2011.07.07 a variant of Win32/Kryptik.PJV Norman 6.07.10 2011.07.06 - nProtect 2011-07-06.01 2011.07.06 Gen:Variant.Kazy.28359 Panda 10.0.3.5 2011.07.06 Generic Trojan PCTools 8.0.0.5 2011.07.07 Trojan.ADH Prevx 3.0 2011.07.07 - Rising 23.65.02.03 2011.07.06 - Sophos 4.67.0 2011.07.07 Mal/Generic-L SUPERAntiSpyware 4.40.0.1006 2011.07.07 Trojan.Dropper/Gen Symantec 20111.1.0.186 2011.07.07 Trojan.ADH.2 TheHacker 6.7.0.1.248 2011.07.07 Trojan/Lebag.dgc TrendMicro 9.200.0.1012 2011.07.07 TROJ_GEN.RC1C2FT TrendMicro-HouseCall 9.200.0.1012 2011.07.07 TROJ_GEN.RC1C2FT VBA32 3.12.16.4 2011.07.06 - VIPRE 9792 2011.07.07 Trojan.Win32.Generic!BT ViRobot 2011.7.7.4555 2011.07.07 - VirusBuster 14.0.112.1 2011.07.06 Trojan.Kryptik!YfWUcRM0pl8 MD5 : fe90ed7d6144bd70ae8cba1fdbae06fe SHA1 : 25080d2a5238f04cf6363e8362847b36277bfe3c SHA256: f5ceb6a1796297eac9d5731ccdf4fd9eb8927d792ba62fa4131a50513ad03b56 ssdeep: 3072:mU4p/VSvUlCurkYViBdTPyqyzQAMP/W8cApz6zI+ISYfH9PJCn3o4ftDb1S97CUI:mUGt5 EGkrBd7IFW7cAF4ISYvSn3/b1Sk File size : 168307 bytes First seen: 2011-06-21 23:50:42 Last seen : 2011-07-07 07:29:35 TrID: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0x5734 timedatestamp....: 0x4DEC7EA2 (Mon Jun 06 07:15:46 2011) machinetype......: 0x14c (I386) [[ 2 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 .text, 0x1000, 0x87000, 0x24A00, 8.00, e06eb94f02f72834b7911625bce89af3 .rsrc, 0x88000, 0x4FFB, 0x41FB, 5.91, 4f20ebd52688694c9b30de5e94df3601 [[ 7 import(s) ]] Kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree advapi32.dll: RegSetValueExA, RegFlushKey, RegQueryValueExA, RegEnumKeyExA, RegConnectRegistryA, RegQueryInfoKeyA, RegOpenKeyExA, RegCreateKeyExA Kernel32.dll: VirtualFree, GetLastError, lstrlenA, GetStdHandle, LoadLibraryExA, lstrcpyA, MultiByteToWideChar, WideCharToMultiByte, VirtualAlloc, LocalAlloc, InitializeCriticalSection, RaiseException, WriteFile, CloseHandle, GetFileSize, SetFilePointer, GetFileType, GetLocaleInfoA, RtlUnwind, GetStartupInfoA, GetThreadLocale, CreateFileA, ExitProcess, GetSystemTime, FreeLibrary, EnterCriticalSection, ReadFile, SetEndOfFile, LocalFree, GetCurrentDirectoryA, SetCurrentDirectoryA, GetCommandLineA, LeaveCriticalSection, VirtualQuery user32.dll: GetKeyboardType, LoadStringA, MessageBoxA comctl32.dll: ImageList_DrawEx, ImageList_DragShowNolock, ImageList_DragEnter, ImageList_GetIconSize, ImageList_DragMove, ImageList_Add, ImageList_GetIcon, ImageList_Write, ImageList_SetDragCursorImage, ImageList_SetIconSize, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_GetDragImage, ImageList_Read winmm.dll: PlaySoundA winspool.drv: EnumPrintersA, EnumPrintersA, DocumentPropertiesA, OpenPrinterA ExifTool: file metadata CodeSize: 25600 EntryPoint: 0x5734 FileSize: 164 kB FileType: Win32 EXE ImageVersion: 0.0 InitializedDataSize: 518656 LinkerVersion: 5.12 MIMEType: application/octet-stream MachineType: Intel 386 or later, and compatibles OSVersion: 4.0 PEType: PE32 Subsystem: Windows GUI SubsystemVersion: 4.0 TimeStamp: 2011:06:06 09:15:46+02:00 UninitializedDataSize: 0

#19 mikeleafe

mikeleafe

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 07 July 2011 - 02:14 AM

heres the .tmp 1 AhnLab-V3 2011.07.07.01 2011.07.07 Trojan/Win32.Lebag AntiVir 7.11.10.245 2011.07.07 TR/Kazy.28359.1 Antiy-AVL 2.0.3.7 2011.07.07 Trojan/Win32.Lebag.gen Avast 4.8.1351.0 2011.07.06 Win32:Dropper-HAX [Drp] Avast5 5.0.677.0 2011.07.06 Win32:Dropper-HAX [Drp] AVG 10.0.0.1190 2011.07.06 SHeur3.CFYE BitDefender 7.2 2011.07.07 Gen:Variant.Kazy.28359 CAT-QuickHeal 11.00 2011.07.07 Trojan.Lebag.dgc ClamAV 0.97.0.0 2011.07.07 - Commtouch 5.3.2.6 2011.07.07 - Comodo 9303 2011.07.07 - DrWeb 5.0.2.03300 2011.07.07 Win32.HLLM.Reset.129 Emsisoft 5.1.0.8 2011.07.07 Trojan.Win32.Lebag!IK eSafe 7.0.17.0 2011.07.06 Win32.Suspect.Ba eTrust-Vet 36.1.8429 2011.07.06 - F-Prot 4.6.2.117 2011.07.06 - F-Secure 9.0.16440.0 2011.07.07 Gen:Variant.Kazy.28359 Fortinet 4.2.257.0 2011.07.07 W32/Lebag.DGC!tr GData 22 2011.07.07 Gen:Variant.Kazy.28359 Ikarus T3.1.1.104.0 2011.07.07 Trojan.Win32.Lebag Jiangmin 13.0.900 2011.07.06 Trojan/Lebag.tu K7AntiVirus 9.107.4878 2011.07.06 Trojan Kaspersky 9.0.0.837 2011.07.07 Trojan.Win32.Lebag.dgc McAfee 5.400.0.1158 2011.07.07 Suspect-BA!FE90ED7D6144 McAfee-GW-Edition 2010.1D 2011.07.07 Heuristic.LooksLike.Win32.Suspicious.C Microsoft 1.7000 2011.07.07 Trojan:Win32/Ramnit.A NOD32 6271 2011.07.07 a variant of Win32/Kryptik.PJV Norman 6.07.10 2011.07.06 - nProtect 2011-07-06.01 2011.07.06 Gen:Variant.Kazy.28359 Panda 10.0.3.5 2011.07.06 Generic Trojan PCTools 8.0.0.5 2011.07.07 Trojan.ADH Prevx 3.0 2011.07.07 - Rising 23.65.02.03 2011.07.06 - Sophos 4.67.0 2011.07.07 Mal/Generic-L SUPERAntiSpyware 4.40.0.1006 2011.07.07 Trojan.Agent/Gen-NumTemp Symantec 20111.1.0.186 2011.07.07 Trojan.ADH.2 TheHacker 6.7.0.1.248 2011.07.07 Trojan/Lebag.dgc TrendMicro 9.200.0.1012 2011.07.07 TROJ_GEN.RC1C2FT TrendMicro-HouseCall 9.200.0.1012 2011.07.07 TROJ_GEN.RC1C2FT VBA32 3.12.16.4 2011.07.06 - VIPRE 9792 2011.07.07 Trojan.Win32.Generic!BT ViRobot 2011.7.7.4555 2011.07.07 - VirusBuster 14.0.112.1 2011.07.06 Trojan.Kryptik!YfWUcRM0pl8 MD5 : fe90ed7d6144bd70ae8cba1fdbae06fe SHA1 : 25080d2a5238f04cf6363e8362847b36277bfe3c SHA256: f5ceb6a1796297eac9d5731ccdf4fd9eb8927d792ba62fa4131a50513ad03b56 ssdeep: 3072:mU4p/VSvUlCurkYViBdTPyqyzQAMP/W8cApz6zI+ISYfH9PJCn3o4ftDb1S97CUI:mUGt5 EGkrBd7IFW7cAF4ISYvSn3/b1Sk File size : 168307 bytes First seen: 2011-06-21 23:50:42 Last seen : 2011-07-07 07:37:08 TrID: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0x5734 timedatestamp....: 0x4DEC7EA2 (Mon Jun 06 07:15:46 2011) machinetype......: 0x14c (I386) [[ 2 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 .text, 0x1000, 0x87000, 0x24A00, 8.00, e06eb94f02f72834b7911625bce89af3 .rsrc, 0x88000, 0x4FFB, 0x41FB, 5.91, 4f20ebd52688694c9b30de5e94df3601 [[ 7 import(s) ]] Kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree advapi32.dll: RegSetValueExA, RegFlushKey, RegQueryValueExA, RegEnumKeyExA, RegConnectRegistryA, RegQueryInfoKeyA, RegOpenKeyExA, RegCreateKeyExA Kernel32.dll: VirtualFree, GetLastError, lstrlenA, GetStdHandle, LoadLibraryExA, lstrcpyA, MultiByteToWideChar, WideCharToMultiByte, VirtualAlloc, LocalAlloc, InitializeCriticalSection, RaiseException, WriteFile, CloseHandle, GetFileSize, SetFilePointer, GetFileType, GetLocaleInfoA, RtlUnwind, GetStartupInfoA, GetThreadLocale, CreateFileA, ExitProcess, GetSystemTime, FreeLibrary, EnterCriticalSection, ReadFile, SetEndOfFile, LocalFree, GetCurrentDirectoryA, SetCurrentDirectoryA, GetCommandLineA, LeaveCriticalSection, VirtualQuery user32.dll: GetKeyboardType, LoadStringA, MessageBoxA comctl32.dll: ImageList_DrawEx, ImageList_DragShowNolock, ImageList_DragEnter, ImageList_GetIconSize, ImageList_DragMove, ImageList_Add, ImageList_GetIcon, ImageList_Write, ImageList_SetDragCursorImage, ImageList_SetIconSize, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_GetDragImage, ImageList_Read winmm.dll: PlaySoundA winspool.drv: EnumPrintersA, EnumPrintersA, DocumentPropertiesA, OpenPrinterA

#20 mikeleafe

mikeleafe

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 07 July 2011 - 09:37 AM

heres thew drweb log List-C.bat;C:\ComboFix;Probably BATCH.Virus;; RegUBP2b-Paul.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.; OTL.exe;C:\Documents and Settings\Paul\Desktop;Trojan.Siggen2.48050;Incurable.Moved.; 427B.tmp;C:\Documents and Settings\Paul\DoctorWeb\Quarantine;Win32.HLLM.Reset.129;Incurable.Moved.; 4440.tmp;C:\Documents and Settings\Paul\DoctorWeb\Quarantine;Win32.HLLM.Reset.129;Incurable.Moved.; 45C6.tmp;C:\Documents and Settings\Paul\DoctorWeb\Quarantine;Win32.HLLM.Reset.129;Incurable.Moved.; 493F.tmp;C:\Documents and Settings\Paul\DoctorWeb\Quarantine;Win32.HLLM.Reset.129;Incurable.Moved.; mwfmfysqygfgoseh.exe;C:\Documents and Settings\Paul\DoctorWeb\Quarantine;Win32.HLLM.Reset.129;Incurable.Moved.; OTL.exe;C:\Documents and Settings\Paul\DoctorWeb\Quarantine;Trojan.Siggen2.48050;Incurable.Moved.; 4BCE.tmp;C:\_OTL\MovedFiles\07062011_141514\C_Windows\System32\config\systemprofile;Win32.HLLM.Reset.129;Incurable.Moved.;

#21 mikeleafe

mikeleafe

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 07 July 2011 - 09:44 AM

Joy of joys, have rebooted and hooray no internet explorer opening on its own, no sign of files reappearing either, everything seems to be working fine now, I can not thank you guys enough, fantastic job. mike

#22 mowman

mowman

    SuperMember

  • Malware Team
  • 2,669 posts

Posted 07 July 2011 - 11:10 AM

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: 

    File:: 
c:\windows\system32\config\systemprofile\cdiygtjw.sys

Driver:: 
Micorsoft Windows Service
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

#23 mikeleafe

mikeleafe

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 07 July 2011 - 11:39 AM

heres cobo log

ComboFix 11-07-07.03 - Paul 07/07/2011 18:25:16.3.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.3036.2046 [GMT 1:00]
Running from: c:\users\Paul\Desktop\ComboFix.exe
Command switches used :: c:\users\Paul\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\config\systemprofile\cdiygtjw.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-06-07 to 2011-07-07 )))))))))))))))))))))))))))))))
.
.
2011-07-07 17:28 . 2011-07-07 17:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-07 17:24 . 2011-07-07 17:24 -------- d-----w- C:\32788R22FWJFW
2011-07-07 08:21 . 2011-07-07 10:14 -------- d-----w- c:\users\Paul\DoctorWeb
2011-07-07 07:32 . 2011-07-07 10:33 36864 ----atw- c:\windows\system32\config\systemprofile\~DFDEB6.tmp
2011-07-07 07:32 . 2011-07-07 07:32 0 ----atw- c:\windows\system32\config\systemprofile\~DF5CEA.tmp
2011-07-05 21:55 . 2011-07-05 21:55 -------- d-----w- c:\program files\ESET
2011-07-05 14:57 . 2011-07-07 17:29 -------- d-----w- c:\users\Paul\AppData\Local\temp
2011-07-05 12:14 . 2011-07-05 12:14 -------- d-----w- c:\program files\GIANT Company Software
2011-07-05 12:13 . 2011-07-05 12:13 -------- d-----w- c:\windows\Downloaded Installations
2011-07-05 08:42 . 2011-05-29 08:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-05 08:42 . 2011-07-05 08:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-05 08:42 . 2011-05-29 08:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-05 07:44 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{51684DF5-0DF8-4D60-BB7B-06C9BF5A3353}\mpengine.dll
2011-07-04 21:00 . 2011-07-04 21:00 -------- d-----w- C:\_OTL
2011-07-04 17:32 . 2011-07-04 17:32 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-07-04 14:42 . 2010-05-26 09:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-07-04 11:09 . 2011-07-04 16:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-04 11:09 . 2011-07-04 12:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-07-04 09:55 . 2011-07-04 09:55 -------- d-----w- c:\program files\Trend Micro
2011-07-04 09:54 . 2011-07-04 09:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-03 17:25 . 2011-07-04 16:43 -------- d-----w- c:\programdata\Lavasoft
2011-07-03 17:25 . 2011-07-03 17:25 -------- d-----w- c:\program files\Lavasoft
2011-07-03 17:22 . 2011-07-03 17:22 -------- d-----w- c:\windows\system32\config\systemprofile\Google Toolbar
2011-07-03 17:22 . 2011-07-03 17:22 -------- d-----w- c:\windows\system32\config\systemprofile\Low
2011-06-29 19:38 . 2011-06-29 19:38 -------- d-----w- c:\users\Paul\AppData\Roaming\Malwarebytes
2011-06-29 06:50 . 2011-06-29 06:50 -------- d-----w- c:\program files\Sophos
2011-06-29 06:46 . 2011-04-29 15:59 276992 ----a-w- c:\windows\system32\schannel.dll
2011-06-29 06:43 . 2011-06-29 06:43 -------- d-----w- c:\users\Paul\AppData\Local\{C8DDA1F2-1573-4419-B26B-9D47B513CB24}
2011-06-24 13:58 . 2011-06-29 17:34 -------- d-----w- c:\programdata\Viewpoint
2011-06-24 11:58 . 2011-06-24 11:58 -------- d-----w- c:\users\Paul\AppData\Local\{1AB82F8B-455E-4E4E-82F6-130F833B3D04}
2011-06-23 13:40 . 2011-06-23 13:40 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-23 11:13 . 2011-06-23 11:13 -------- d-----w- c:\program files\Common Files\Java
2011-06-23 11:13 . 2011-05-04 03:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-23 08:03 . 2011-06-23 08:03 -------- d-----w- c:\users\Paul\AppData\Local\{0C1184A4-F776-4750-8482-9C77BEEFFDB2}
2011-06-22 12:49 . 2011-06-22 12:49 -------- d-----w- c:\programdata\Malwarebytes
2011-06-22 09:52 . 2011-07-05 08:24 -------- d-----w- c:\programdata\ParetoLogic
2011-06-22 07:56 . 2011-06-22 07:57 -------- d-----w- c:\users\Paul\AppData\Local\{EE615C3A-1A8C-43EF-8D39-E41CD99460DC}
2011-06-21 07:48 . 2011-06-21 07:49 -------- d-----w- c:\users\Paul\AppData\Local\{B81A3A10-1C42-49C0-B458-9CA7220E7429}
2011-06-20 07:57 . 2011-06-20 07:58 -------- d-----w- c:\users\Paul\AppData\Local\{A6A8EE67-B008-4411-ABC2-E6A95520B843}
2011-06-17 07:52 . 2011-06-17 07:53 -------- d-----w- c:\users\Paul\AppData\Local\{054A9C43-7396-4AE9-8932-081365B35620}
2011-06-16 07:50 . 2011-06-16 07:51 -------- d-----w- c:\users\Paul\AppData\Local\{FB2A2C19-5107-44D8-A0CC-00E8A9B97140}
2011-06-15 16:10 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-06-15 16:10 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-15 16:10 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-15 08:03 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-15 08:02 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 08:02 . 2011-04-29 13:25 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 08:02 . 2011-04-29 13:25 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 08:02 . 2010-12-20 16:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 08:02 . 2011-05-02 17:16 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 08:02 . 2011-05-02 12:02 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-06-15 08:02 . 2011-04-29 13:24 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 08:02 . 2011-04-29 13:24 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 08:02 . 2011-04-29 13:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-15 07:55 . 2011-06-15 07:55 -------- d-----w- c:\users\Paul\AppData\Local\{04DC7D24-F86C-41CE-9996-14CACAF9B390}
2011-06-14 08:00 . 2011-06-14 08:01 -------- d-----w- c:\users\Paul\AppData\Local\{EBA4DA58-C65D-4AB7-AC11-038B6BB79233}
2011-06-13 07:55 . 2011-06-13 07:55 -------- d-----w- c:\users\Paul\AppData\Local\{3D151075-E4C9-44BC-AC01-2671C22E5B97}
2011-06-10 07:32 . 2011-06-10 07:33 -------- d-----w- c:\users\Paul\AppData\Local\{8C7F33F3-5B56-45A8-A718-E6942839888F}
2011-06-09 16:03 . 2011-06-09 16:03 -------- d-----w- c:\program files\MSXML 4.0
2011-06-09 09:14 . 2011-06-09 09:14 -------- d-----w- c:\programdata\NokiaAccount
2011-06-09 08:58 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-06-09 08:58 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-06-09 08:53 . 2011-06-09 09:24 -------- d-----w- c:\users\Paul\AppData\Local\Nokia
2011-06-09 08:53 . 2011-06-22 23:59 -------- d-----w- c:\programdata\PC Suite
2011-06-09 08:53 . 2011-06-09 09:16 -------- d-----w- c:\users\Paul\AppData\Roaming\PC Suite
2011-06-09 08:51 . 2011-06-09 08:51 -------- d-----w- c:\program files\Common Files\Nokia
2011-06-09 08:51 . 2011-06-09 08:51 -------- d-----w- c:\program files\DIFX
2011-06-09 08:51 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-06-09 08:50 . 2011-06-09 08:50 -------- d-----w- c:\program files\PC Connectivity Solution
2011-06-09 08:49 . 2010-12-02 14:13 75264 ----a-w- c:\windows\system32\nmwcdcls.dll
2011-06-09 08:49 . 2011-06-22 23:59 -------- d-----w- c:\programdata\NokiaInstallerCache
2011-06-09 08:49 . 2011-06-09 08:51 -------- d-----w- c:\program files\Nokia
2011-06-09 07:58 . 2011-06-09 07:58 -------- d-----w- c:\users\Paul\AppData\Local\{19427B42-C493-4EC0-8CDC-2893A6FAE861}
2011-06-08 07:31 . 2011-06-08 07:31 -------- d-----w- c:\users\Paul\AppData\Local\{5B75D84C-5465-4B2E-982E-5831DE0762DE}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-24 08:03 . 2010-02-24 11:56 848 --sha-w- c:\programdata\KGyGaAvL.sys
2011-05-24 18:14 . 2010-06-11 11:18 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-24 08:03 . 2011-05-24 08:03 161792 ----a-w- c:\windows\system32\msls31.dll
2011-05-24 08:03 . 2011-05-24 08:03 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-05-24 08:03 . 2011-05-24 08:03 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-24 08:03 . 2011-05-24 08:03 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-05-24 08:03 . 2011-05-24 08:03 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-05-24 08:03 . 2011-05-24 08:03 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-05-24 08:03 . 2011-05-24 08:03 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-05-24 08:03 . 2011-05-24 08:03 367104 ----a-w- c:\windows\system32\html.iec
2011-05-24 08:03 . 2011-05-24 08:03 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-05-24 08:03 . 2011-05-24 08:03 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-05-24 08:03 . 2011-05-24 08:03 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-24 08:03 . 2011-05-24 08:03 152064 ----a-w- c:\windows\system32\wextract.exe
2011-05-24 08:03 . 2011-05-24 08:03 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-05-24 08:03 . 2011-05-24 08:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-24 08:03 . 2011-05-24 08:03 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-24 08:03 . 2011-05-24 08:03 11776 ----a-w- c:\windows\system32\mshta.exe
2011-05-24 08:03 . 2011-05-24 08:03 101888 ----a-w- c:\windows\system32\admparse.dll
2011-05-24 08:03 . 2011-05-24 08:03 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-05-24 08:03 . 2011-05-24 08:03 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-20 182808]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"D066UUtility"="c:\windows\TWAIN_32\D66U\D066UUTY.EXE" [2000-07-06 32768]
"DLPSP"="c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2009-07-08 406840]
"DLUPDR"="c:\program files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE" [2009-07-08 243008]
"DLQLU"="c:\program files\Dell Printers\Additional Color Laser Software\Launcher\DLQLU.EXE" [2009-07-08 816368]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-19 6265376]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 11:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-06 11:55 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2008-08-08 17:30 16712 ----a-r- c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2008-08-08 17:30 532808 ----a-r- c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-24 02:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-11-10 01:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2011-05-20 15:56 724536 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 10:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9c7fdbc428860;Google Update Service (gupdate1c9c7fdbc428860);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-28 133104]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-28 133104]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\DD63.tmp [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-26 18816]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-08-19 81920]
S2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 140184]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-08-19 27648]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-08-26 112128]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-28 12:34]
.
2011-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-28 12:34]
.
2011-07-07 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2009-04-16 07:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-07 18:29
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\DD63.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,bd,0c,6b,ab,e1,5f,46,89,f4,cd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,94,bd,0c,6b,ab,e1,5f,46,89,f4,cd,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Update\1.3.21.57\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\windows\PEV.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-07-07 18:34:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-07 17:34
ComboFix2.txt 2011-07-05 21:41
ComboFix3.txt 2011-07-05 14:57
.
Pre-Run: 257,598,906,368 bytes free
Post-Run: 257,596,039,168 bytes free
.
- - End Of File - - 3022EB3D10F715413FA6151CBE90E0AC

#24 mowman

mowman

    SuperMember

  • Malware Team
  • 2,669 posts

Posted 07 July 2011 - 11:46 AM

You appear clean of infections,please do the following.



ComboFix - Cleanup
Time for some housekeeping
  • Click Start...select Run from the menu.
  • Copy and paste the following into the text entry box:
    Combofix /Uninstall
  • Click the OK button. (See image below as reference.)
Posted Image









Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.










Clean out your temp files.
Download Attribune's ATF Cleaner and save to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.









Here are some recommendations to help you stay clean.


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com/



Make sure you are running a FIREWALL.The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
Please read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

please take a moment to read quietman7's excellent prevention tips in post 3 here
Click >>>> Tips to protect yourself against malware and reduce the potential for re-infection:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Thats it you are good to go.Safe surfing

#25 mikeleafe

mikeleafe

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 07 July 2011 - 12:05 PM

Once again thank you so much, your help has been invaluable. I will follow your advice to keep clean in the futre but if I happen to get caught out again I know where my first port of call will be, again many many thanks mike

    Advertisements

Register to Remove

#26 mowman

mowman

    SuperMember

  • Malware Team
  • 2,669 posts

Posted 07 July 2011 - 05:13 PM

You're welcome,glad we could help :)


Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·