23 replies to this topic

[StephenS]

Hello. This started yesterday, but I have done a lot of research about it and I haven't found a way to remove this annoying malware infection.

I have tried AVG, Symantec, AND MBAM and to no avail. Last time I had a problem, MBAM took care of it quite well, but this is probably a new varient and that's why it's not been able to detect/remove this.

Here is a list of the problems I have encountered:

1) Google searches are being re-directed to random ad sites.

2) When I attempt to run cmd and regedit, explorer crashes and restarts. I renamed Regedit to reg3dit to get around this, but I'm not sure what I am looking for. I didn't see anything too suspicious with my "untrained eyes."

3) I discovered in my research that bleepingcomputer.net is blocked and I am not able to access it from this computer. I went to another computer that is not infected and did some research on there though.

4) AVG and MBAM do not update through the normal means. I had to manually update each of them to the most current versions in order to reliably scan. I uninstalled AVG after this. I still have MBAM though.

5) Access to Windows updates has been cut off.

One further note, I hardly use Internet Explorer, all of my surfing is done in Firefox.

That's about all I can think of at this point.



Here is a HJT log to get things rolling. I hope we can get rid of this thing soon.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe
C:\ColdFusion8\jnbridge\JNBDotNetSide.exe
C:\ColdFusion8\db\slserver54\bin\swagent.exe
C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
C:\ColdFusion8\db\slserver54\bin\swsoc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.srh.noaa.gov/fwd/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hackerwat...105-17&langid=1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [wF7R3El] dimtcfg.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKLM\..\Policies\Explorer\Run: [1] C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendow...g/usbaptest.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166068882203
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ColdFusion 8 .NET Service - Unknown owner - C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe
O23 - Service: ColdFusion 8 Application Server - Macromedia Inc. - C:\ColdFusion8\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion 8 ODBC Agent - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion 8 ODBC Server - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[StephenS]

Bumping to keep it from getting lost.

[StephenS]

Also, the latest MBAM log:

Malwarebytes' Anti-Malware 1.34
Database version: 1945
Windows 5.1.2600 Service Pack 2

4/7/2009 8:06:22 AM
mbam-log-2009-04-07 (08-06-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 170180
Time elapsed: 1 hour(s), 17 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP6\A0000351.exe (Trojan.Downloader) -> Quarantined and deleted successfully.



I was hoping this would take care of it, but alas, it didn't.

Oh well... Still waiting on possible solutions.

[AdvancedSetup]

Your version
Malwarebytes' Anti-Malware 1.34
Database version: 1945


Current version
Malwarebytes' Anti-Malware 1.36
Database version: 1950



Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.



[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt

[/indent]

[StephenS]

I can't get MBAM to update through the normal means though. The version I have is from the manual update.

Is that the version I will get if I do it manually?

[AdvancedSetup]

Try one of these and see if you can get MBAM running correctly.


Potential Malware infection issues to review to get MBAM running

• MB won't run(Fix) - Total-Security (FakeAlert)
  
• MBAM wont run (Fix) - av360 (Fakealert)
  
• MBAM wont install or will not run. - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC

You can also try running this AV scanner if you need to.


Please download to your Desktop: Dr.Web CureIt

• After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  
• Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click on the Complete scan radio button.
  
• Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  
• Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  
• On the File types tab ensure you select All files
  
• Click on the Actions tab and set the following:
  
  • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    
  • Infected packages Archive = Move, E-mails = Report, Containers = Move
    
  • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    
  • Do not change the Rename extension - default is: #??
    
  • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    
  • Leave prompt on Action checked
• On the Log file tab leave the Log to file checked.
  
• Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
  
• Log mode = Append
  
• Encoding = ANSI
  
• Details Leave Names of file packers and Statistics checked.
  
• Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
  
• On the General tab leave the Scan Priority on High
  
• Click the Apply button at the bottom, and then the OK button.
  
• On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
  
• In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
  
• The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
  
• When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
  
• Click 'Yes to all' if it asks if you want to cure/move the files.
  
• This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your Desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.
  [indent][/indent]

[StephenS]

Ok, I know for a fact I don't have any issues with the first two links you provided because I haven't had anything like that.

I did go ahead and DL Rootrepeal though and took a look at the file scan feature. I didn't see anything suspicious looking involving a rootkit. I don't think that's the issue here.

Are there any other suggestions you have to get MBAM up to date? It's probably not detecting this variant of malware for that very reason.

I can go ahead and install the WebCureit program if there is no other way to get it to version 1950 at this time.

Again, it's not having trouble opening or scanning, just updating with its update feature.

[miekiemoes]

Hi,

Sorry to jump in, but It appears you're dealing with a new variant here... (since you're using a recent database version)
Thats why I need a sample from your computer.

To find out what we need.. and since you already renamed regedit..
Launch the reg3dit.exe in order to open your Registry Editor.

There, browse to the following key:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

You'll see on the left that you can expand the keys (they will look like folders). So expand them until you get drivers32
Rightclick the drivers32 key (folder) and select to export:



Give it a name and export it as a txtfile on your desktop.


Then copy and paste the contents of it in your next reply.

If confused, please ask first.

Extra note.. after you have used the renamed regedit.exe (reg3dit.exe), look in your Windows folder if Windows File Protection placed a new regedit.exe there again (it should). If not, then rename reg3dit.exe back to regedit.exe.

[StephenS]

Hey

Ok, I did what you asked and I got this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"VIDC.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.l3acm"="C:\\WINDOWS\\System32\\l3codeca.acm"
"vidc.iv41"="ir41_32.ax"
"msacm.iac2"="iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.ctmp3"="C:\\WINDOWS\\System32\\ctmp3.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"vidc.DIVX"="DivX.dll"
"MSVideo8"="VfWWDM32.dll"
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"aux"="wdmaud.drv"
"wave2"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"aux1"="wdmaud.drv"
"aux2"="C:\\DOCUME~1\\Stephen\\LOCALS~1\\Temp\\..\\msqspuq.bet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"
"mixer"="rdpsnd.dll"


My first look goes immediately to the "C:\\DOCUME~1\\Stephen\\LOCALS~1\\Temp\\..\\msqspuq.bet" under aux2.

I saw you dealing with others and you would pick other similar ones for analysis. However, when I checked that file, the date was like several years ago so I left it alone until I could get confirmation from someone else. I don't want to kill something that is legitimate. haha

[StephenS]

Also, it did indeed add a new regedit to the folder.

[miekiemoes]

Hi,

It indeed looks like a new variant:

I want the sample: C:\DOCUMENTS and Settings\Stephen\LOCAL Settings\msqspuq.bet

So navigate to the C:\DOCUMENTS and Settings\Stephen\LOCAL Settings folder, rightclick the msqspuq.bet and zip it.
Then start a new thread here: http://www.malwareby...hp?showforum=55 and attach that sample there.

Reply here once you've attached that sample

[miekiemoes]

Btw..

Quote

the date was like several years ago

Many malware does this by the way. This because most people look at the newest files being created. If an older datestamp is used, it's harder to find it

[StephenS]

Alright. It's been uploaded and posted. Let's hope it's the offending malware we are looking for.

[StephenS]

miekiemoes, on Apr 8 2009, 02:36 AM, said:

Btw..

Many malware does this by the way. This because most people look at the newest files being created. If an older datestamp is used, it's harder to find it

o_O

I'll have to remember this. That's another little trick to add to my book of "How to get rid of malware." haha

[miekiemoes]

Quote

Let's hope it's the offending malware we are looking for.

Oh yes, that I'm sure of. It is the malware causing your problems.

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\DOCUME~1\Stephen\LOCALS~1\msqspuq.bet

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

Quote

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux2"="wdmaud.drv"

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Let me know in your next reply how things are now.

[AdvancedSetup]

Running the DDS scan should have shown this information as well.
But I may not have had you upload the sample, so thank you miekiemoes for stepping in. It will help others in the long run.


Jotti online scan of that file:

A-Squared Found nothing
AntiVir Found TR/Agent.caaj.B
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/Delf.OFG
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

[StephenS]

Hmmmmm Well, I don't get it.

I told Hijackthis to delete the file on reboot, but it's still there?!?!

this is what I pasted: C:\DOCUME~1\Stephen\LOCALS~1\msqspuq.bet

Also, when I tried to merge the changes, Explorer crashed just as before.

What's going on here? lol

[miekiemoes]

Quote

Running the DDS scan should have shown this information as well.

It doesn't unfortunately (unless being updated) - If infected with this one, you wouldn't even be able to run DDS.

[miekiemoes]

Hi,

Quote

Also, when I tried to merge the changes, Explorer crashed just as before.

That's normal if the file is still present.

Can you try HIjackthis again? Also delete on reboot option, but click the browse button instead and browse to the file instead of Copy&paste the path in the field. Could be that there was a problem with the shortnames.
Then reboot.

[StephenS]

Well Well Well.

Looks like things are back in business.

1) Regedit works again and I can open a cmd prompt as well. ( I merged the changes into the registry too)

2) No more blocked Bleepingcomputer.com

3) MBAM updated to version 1951

4) No more redirects on Google.

4) Computer seems a bit faster too. haha

I want to say thanks for all your help. Hopefully adding that annoyance to MBAM will save some people some grief.


Thanks again. You guys are pretty smart.