16 replies to this topic

[babaloo]

Seen a pop-up about viruses on my computer, terminated the IE session, then immediately installed & ran malwarebytes, doing a full scan. Found this one infection, which I had malwarebytes remove. I've run the DDS.COM and attached requested files.

 dds.txt   6.34K   14 downloads

 attach.txt   10.65K   9 downloads

[Maniac]

Hello babaloo and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.


Step 2

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply



In your next reply, post the following log files:

• Malwarebytes' Anti-Malware log
  
• aswMBR log

[babaloo]

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.27.05
Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Jerry :: HOMEDVR [administrator]
7/27/2012 8:43:04 AM
mbam-log-2012-07-27 (08-43-04).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 204261
Time elapsed: 7 minute(s), 9 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-27 09:28:04
-----------------------------
09:28:04.381 OS Version: Windows 5.1.2600 Service Pack 2
09:28:04.381 Number of processors: 1 586 0x207
09:28:04.381 ComputerName: HOMEDVR UserName: Jerry
09:28:05.475 Initialize success
09:30:22.459 AVAST engine defs: 12072700
09:31:02.084 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
09:31:02.084 Disk 0 Vendor: WDC_WD800JD-60LSA0 07.01D07 Size: 76319MB BusType: 3
09:31:02.084 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-10
09:31:02.084 Disk 1 Vendor: Hitachi_HDS721010KLA330 GKAOA70M Size: 953869MB BusType: 3
09:31:02.100 Disk 0 MBR read successfully
09:31:02.100 Disk 0 MBR scan
09:31:02.147 Disk 0 Windows XP default MBR code
09:31:02.147 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
09:31:02.162 Disk 0 scanning sectors +156280320
09:31:02.240 Disk 0 scanning C:\WINDOWS\system32\drivers
09:31:15.803 Service scanning
09:31:32.193 Modules scanning
09:31:37.678 Disk 0 trace - called modules:
09:31:38.193 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
09:31:38.193 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8677dab8]
09:31:38.193 3 CLASSPNP.SYS[f78a405b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0x867944e8]
09:31:38.365 AVAST engine scan C:\WINDOWS
09:31:45.053 AVAST engine scan C:\WINDOWS\system32
09:33:38.756 AVAST engine scan C:\WINDOWS\system32\drivers
09:33:54.240 AVAST engine scan C:\Documents and Settings\Jerry
09:42:22.975 AVAST engine scan C:\Documents and Settings\All Users
09:43:32.100 Scan finished successfully
09:45:13.928 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jerry\Desktop\MBR.dat"
09:45:13.928 The log file has been saved successfully to "C:\Documents and Settings\Jerry\Desktop\aswMBR.txt"


From what I've read, I guess there could be items (folders, files) hidden now? The only think I noticed so far missing is an icon in the system tray for SUPERAntiSpyware, but then I haven't rebooted yet either...

[Maniac]

Yes and I want to check this:

Please download unhide.exe from here and save it to your Desktop. Double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run. When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt .

[babaloo]

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingc...opic405109.html
Program started at: 07/27/2012 01:26:44 PM
Windows Version: Windows XP
Please be patient while your files are made visible again.
Processing the A:\ drive
Finished processing the A:\ drive. 0 files processed.
Processing the C:\ drive
Finished processing the C:\ drive. 45058 files processed.
Processing the F:\ drive
Finished processing the F:\ drive. 24320 files processed.
The C:\DOCUME~1\Jerry\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingc...opic405109.html
Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowMyMusic was set to 0! It was set back to 1!
* Start_ShowMyPics was set to 0! It was set back to 1!
Restarting Explorer.exe in order to apply changes.
Program finished at: 07/27/2012 01:29:00 PM
Execution time: 0 hours(s), 2 minute(s), and 16 second(s)

[Maniac]

Looks good!

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[babaloo]

 HOMEDVR_Screenshot.JPG   97.84K   6 downloadsManiac,

I downloaded & ran COMBOFIX, but wasn't right there watching it. Anyway, it appears a reboot happened (not exactly sure) because there was no longer a COMBOFIX window, and the SUPERAntiSpyware app was showing in the system tray (wasn't there before).

Viewing from Windows Explorer, there is what appears to be a link in the C: drive to "My Computer" called Combofix (see uploaded screenshot), because if I expand it, I see everything in "My Computer".

There is not a combofix.txt in the root of C:, but I did find a hidden directory C:\Combofix that had one. Posting the contents of that here:

ComboFix 12-07-27.03 - Jerry 07/28/2012 11:38:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.587 [GMT -4:00]
Running from: C:\Documents and Settings\Jerry\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}


That's it. I was thinking that maybe there was a reboot during the Combofix run before it completed. I have not tried running it again yet - waiting on your direction.

[Maniac]

Are you sure this is the entire log?

ComboFix 12-07-27.03 - Jerry 07/28/2012 11:38:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.587 [GMT -4:00]
Running from: C:\Documents and Settings\Jerry\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

[babaloo]

Yes, but it was NOT in C:\. rather it was in C:\COMBOFIX. The instructions said it should be in the root of C:\, that's why I was wondering if it really ever completed.

[Maniac]

Please try again in Safe mode with Networking:
http://www.microsoft...t_failsafe.mspx

[babaloo]

Finally tried it again in normal Windows mode (not safe mode) and got it to work. Here's the log file:

ComboFix 12-07-31.06 - Jerry 08/03/2012 19:43:48.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.709 [GMT -4:00]
Running from: c:\documents and settings\Jerry\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\5.tmp
c:\windows\dasetup.log
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\msssc.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-07-03 to 2012-08-03 )))))))))))))))))))))))))))))))
.
.
2012-07-26 00:45 . 2012-07-26 00:45 -------- d-----w- c:\documents and settings\Jerry\Application Data\Malwarebytes
2012-07-26 00:45 . 2012-07-26 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-07-26 00:45 . 2012-07-26 00:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-26 00:45 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-10 03:54 . 2012-07-10 03:54 -------- d-----w- c:\program files\MSECache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-17 12:29 . 2012-05-18 13:05 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-17 12:29 . 2011-12-26 22:32 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-30 39408]
"ATI Scheduler"="c:\program files\ATI Multimedia\main\ATISched.EXE" [2003-05-14 36942]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\LaunchPd.exe" [2003-05-14 106574]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-24 3905408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-11 114688]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-29 323584]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/w...0&ver=10.0.1325" [?]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:VNC
"5800:TCP"= 5800:TCP:VNC HTTP
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/19/2011 4:32 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 6:41 AM 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/10/2011 7:54 AM 301248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [7/4/2012 5:25 PM 5160568]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 12:56 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 12:56 AM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 04:56]
.
2012-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 04:56]
.
2012-07-27 c:\windows\Tasks\restart.job
- C:\restart.bat [2010-02-07 18:05]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
TCP: DhcpNameServer = 192.168.10.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-03 19:50
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(896)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-08-03 19:52:19
ComboFix-quarantined-files.txt 2012-08-03 23:52
ComboFix2.txt 2012-07-28 15:38
.
Pre-Run: 31,580,348,416 bytes free
Post-Run: 32,078,589,952 bytes free
.
- - End Of File - - 93431BF061085CA37136F89FE4672DF2

[Maniac]

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

[babaloo]

Nothing found!

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.04.04
Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Jerry :: HOMEDVR [administrator]
8/4/2012 10:33:11 AM
mbam-log-2012-08-04 (10-33-11).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191309
Time elapsed: 3 minute(s), 40 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

[Maniac]

Glad I could help!

Please uninstall ComboFix:
http://www.bleepingc...bofix#uninstall

Next, manually delete DDS, aswMBR and unhide .

Some malware prevention tips:
http://forums.malwar...howtopic=104379


Safe surfing!

[babaloo]

Maniac,

Thanks for all the help!

[Maniac]

You're welcome!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!