deusgrego

Trojan.Win32.Dropper.Gen

45 posts in this topic

Avast had been giving notifications about files being quarantined but everytime it and Norton run a full scan nothing populated so my wife thought everything was fine. But I noticed that the laptop had been getting slower, and other issues such as programs that had worked previously, but uninstalled would not reinstall. ex: skype, malwarebytes, mass effect 3. When trying to install those programs we recieve error message "Runtime error 216 at *********" The "*" numbers change depending on the program. I've been able to get the programs to install by entering safe mode. While I was on the laptop I chanced to see the virus notification. It is finding the virus in the topic title and the files quarantined are named "dwh3043.crdownload" just with different numbers after the dwh. And also files named "DWHA***.tmp". Files are located in C:\users\"system user"\AppData\Local\Temp.

Attached is the log file from hijackthis, and two from dds.scr.

Your help is very much appreciated so thanks in advance!

PFC Slinger, Michael

Combat Medic US Army

“Being in the army is like being in the Boy Scouts, except that the Boy Scouts have adult supervision." -Blake Clark

Attach.txt

DDS.txt

hijackthis.log

Share this post


Link to post
Share on other sites

Welcome to the forum.

Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.

Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against our policy:

http://forums.malwar...showtopic=97700

MrC

Share this post


Link to post
Share on other sites

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!!!!!!!)

Post back the report.

MrC

Share this post


Link to post
Share on other sites

RogueKiller V7.6.3 [07/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Slinger Family [Admin rights]

Mode: Scan -- Date: 07/11/2012 21:49:02

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤

[sUSP PATH] {14ED23BD-AEDA-41FA-865F-EB1A33453E28}.job @ : C:\Users\Slinger Family\Desktop\saveedit\Gibbed.MassEffect3.SaveEdit.exe -> FOUND

[sUSP PATH] {53AABE41-D0FD-4C00-A298-D919EF8F86FF}.job @ : C:\Users\Slinger Family\Desktop\saveedit\Gibbed.MassEffect3.SaveEdit.exe -> FOUND

[sUSP PATH] {69D4A4A6-B80B-4CE2-9940-8A16A3B03895}.job @ : C:\Users\Slinger Family\Desktop\saveedit\Gibbed.MassEffect3.SaveEdit.exe -> FOUND

[sUSP PATH] {DE13BAF0-8172-47E6-BF73-C692D98984A2}.job @ : C:\Users\Slinger Family\Desktop\me3\OriginInstaller.exe -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST975042 0AS SATA Disk Device +++++

--- User ---

[MBR] df5f2a357af0b0d5b8dff0bc6680cd36

[bSP] bee1f23af191fbaa51922b5a56c0af45 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 690713 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1414989824 | Size: 20428 Mo

3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 1456826368 | Size: 4062 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Share this post


Link to post
Share on other sites

Next..........

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC (gone for tonight...be back tomorrow am)

Share this post


Link to post
Share on other sites

I was able to follow the above post up until running of TDSSKiller.exe. Unfortunately it does not run. Do I try in safe mode? I've attached what task manager shows is running just in case it is loading/loaded and I'm just going crazy. The attachment is 20 min after I tried running TDSSKiller.

post-114655-0-57404500-1342104687.png

Share this post


Link to post
Share on other sites

Yes, try it in safe mode, MrC

Share this post


Link to post
Share on other sites

When running in safe mode, at 10% initialization TDSSKiller warns that it cannot initialize log, at 40% cannot load driver. After running a search through the C: drive no log file was created. When clicking on report inside TDSSKiller, nothing is inside although it did find 1 threat. Suspicious object: IconMan_R ( UnsignedFile.Multi.Generic ) Which I skipped per directions.

Share this post


Link to post
Share on other sites

See if you can run ComboFix.........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

Just as a heads up, I work in an emergency room. Scheduling is a little hectic sometimes. But for this weekend you probably will not hear from me until after 1900.

Share this post


Link to post
Share on other sites

OK, delete your copy of TDSSKiller and download a fresh one, see if you can run it.

You can try to run it in safe mode if needed.

If it won't run.....

Cut and paste TDSSKiller.exe into Malwarebytes Chameleon folder:

C:\Program Files\Malwarebytes' Anti-Malware\Chameleon

Install the Chameleon driver by doing the following:

Press the Windows key + R and in the Run box, copy and paste the following command then press Enter.

"%programfiles%\Malwarebytes' Anti-Malware\Chameleon/mbam-chameleon.com" /o

A black DOS prompt will appear with a prompt to press any key to continue, please do until the Dos prompt disappears.

Execute TDSSKiller.exe by doubleclicking on it in the Chameleon folder.

See if it runs.

Let me know, MrC

Share this post


Link to post
Share on other sites

I copy/paste the command to install the drivers, I recieve a location not available error. Malwarebytes' installed in the Program files (x86) folder. I tried changing the command to "%programfiles(x86)%\..." with and without spaces. All to no avail. Ended up running cmd then mbam-chameleon.com /o. It said it got the driver ok. TDSSkiller still does not run either with double click or run as administrator.

Share this post


Link to post
Share on other sites

Please do this instead....

Download aswMBR to your desktop.

http://public.avast....erek/aswMBR.exe

Double click the aswMBR.exe to run it.

If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".

Click the "Scan" button to start scan.

On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Please zip it up and attach it to your next post.

MrC

Share this post


Link to post
Share on other sites

In safe mode. Tried cmd prompt got "driver is already loaded...failed to start driver.. enabling driver... failed.." TDSSKiller had the exact same result as previous run while in safe mode.

Share this post


Link to post
Share on other sites

OK, run aswMBR as outlined in the post above yours, MrC

Share this post


Link to post
Share on other sites

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

Click Start

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

Share this post


Link to post
Share on other sites

5 items quarantined and deleted. 3 Android applications, 1 rosetta stone component, 1 application (cheat engine.exe)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.