Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Generic Downloader.x Malware I think? CLOSED?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Generic Downloader.x Malware I think? CLOSED?

Unread postby furio2k » November 26th, 2008, 3:00 pm

Hello,
I do apologize for not responding but I was having trouble opening that websites that was given to me to post my files in to view them is there another website that I can use
furio2k
Regular Member
 
Posts: 18
Joined: November 9th, 2008, 11:38 pm
Advertisement
Register to Remove

Re: Generic Downloader.x Malware Scan results

Unread postby furio2k » December 1st, 2008, 10:24 am

Here are my results for the Online malware scan:

C:\WINDOWS\system32\CSRLT.EXE
Scan taken on 01 Dec 2008 14:13:23 (GMT)
A-Squared
Found Trojan.Delf.865208!IK
AntiVir
Found TR/Delf.865208
ArcaVir
Found Trojan.Banker.Banker.Ysk
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Delf.PNH
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-Banker.Win32.Banker.ysk
G DATA
Found Win32:Trojan-gen
Ikarus
Found Trojan.Delf.865208
Kaspersky Anti-Virus
Found Trojan-Banker.Win32.Banker.ysk
NOD32
Found nothing
Norman Virus Control
Found W32/Banker.DXBU
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Trojan-Banker.Win32.Banker.ysk



C:\WINDOWS\MSBLT.EXE

A-Squared
Found Trojan.Delf.865208!IK
AntiVir
Found TR/Delf.865208
ArcaVir
Found Trojan.Banker.Banker.Ysk
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Delf.PNH
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-Banker.Win32.Banker.ysk
G DATA
Found nothing
Ikarus
Found Trojan.Delf.865208
Kaspersky Anti-Virus
Found Trojan-Banker.Win32.Banker.ysk
NOD32
Found nothing
Norman Virus Control
Found W32/Banker.DXBU
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Trojan-Banker.Win32.Banker.ysk
furio2k
Regular Member
 
Posts: 18
Joined: November 9th, 2008, 11:38 pm

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby Shaba » December 2nd, 2008, 2:14 am

Hi furio2k

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby furio2k » December 2nd, 2008, 11:33 am

Unfortunately right now, i will just have to clean it because i can't afford a new lap top right now... is there a way that I can clean it and be safe for the next 2 or 3 months?
furio2k
Regular Member
 
Posts: 18
Joined: November 9th, 2008, 11:38 pm

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby Shaba » December 2nd, 2008, 11:44 am

Yes we can delete those files but you will need to do this next:

"If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation."

Delete this folder as well:

C:\Program Files\AskTBar
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby furio2k » December 3rd, 2008, 2:22 pm

I was not able to delete AskTBar.

It says access denied
furio2k
Regular Member
 
Posts: 18
Joined: November 9th, 2008, 11:38 pm

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby Shaba » December 3rd, 2008, 2:23 pm

Please close browser if it was open and try again.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby furio2k » December 6th, 2008, 3:32 am

I tried closing the browser but it didn't delete
furio2k
Regular Member
 
Posts: 18
Joined: November 9th, 2008, 11:38 pm

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby Shaba » December 6th, 2008, 6:13 am

Thank you for information.

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    :files
    C:\Program Files\AskTBar
    
    :commands
    [EmptyTemp]
    [reboot]
    

  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Post:

- a fresh hijackthis log
- otmoveit3 log
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby furio2k » December 6th, 2008, 10:25 am

========== FILES ==========
C:\Program Files\AskTBar\bar\1.bin moved successfully.
C:\Program Files\AskTBar\bar moved successfully.
C:\Program Files\AskTBar moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Velis\LOCALS~1\Temp\etilqs_e7fAvGZ86D8GRHbM1fpM scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Velis\LOCALS~1\Temp\etilqs_Yv19ZEH6368rb7V3jiNL scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Velis\LOCALS~1\Temp\etilqs_Yv19ZEH6368rb7V3jiNL-journal scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcafee_m0RBIh1zk64Bc20 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_VxCJKxKG3JJxQtN scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_QILMUtPYNWgnLxj scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_tQKLk7aHzSQawDQ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_xP18bk3tHjCwaNb scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_CA7p9eKtSccf6av scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_hk0j2KphqiMWjgF scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_mk5xBnua5fDg1kU scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_O7l9bkmjfhhnyyi scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_SdfJYwO6abQLY4V scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_SVPjmCh0w5j7Lel scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_VwIvVEWfAeucbDJ scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\WFV4.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\OfflineCache\index.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12062008_090322

Files moved on Reboot...
File C:\DOCUME~1\Velis\LOCALS~1\Temp\etilqs_e7fAvGZ86D8GRHbM1fpM not found!
File C:\DOCUME~1\Velis\LOCALS~1\Temp\etilqs_Yv19ZEH6368rb7V3jiNL not found!
File C:\DOCUME~1\Velis\LOCALS~1\Temp\etilqs_Yv19ZEH6368rb7V3jiNL-journal not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\mcafee_m0RBIh1zk64Bc20 not found!
File C:\WINDOWS\temp\mcafee_VxCJKxKG3JJxQtN not found!
File C:\WINDOWS\temp\mcmsc_QILMUtPYNWgnLxj not found!
File C:\WINDOWS\temp\mcmsc_tQKLk7aHzSQawDQ not found!
File C:\WINDOWS\temp\mcmsc_xP18bk3tHjCwaNb not found!
C:\WINDOWS\temp\sqlite_CA7p9eKtSccf6av moved successfully.
C:\WINDOWS\temp\sqlite_hk0j2KphqiMWjgF moved successfully.
C:\WINDOWS\temp\sqlite_mk5xBnua5fDg1kU moved successfully.
C:\WINDOWS\temp\sqlite_O7l9bkmjfhhnyyi moved successfully.
C:\WINDOWS\temp\sqlite_SdfJYwO6abQLY4V moved successfully.
C:\WINDOWS\temp\sqlite_SVPjmCh0w5j7Lel moved successfully.
C:\WINDOWS\temp\sqlite_VwIvVEWfAeucbDJ moved successfully.
File C:\WINDOWS\temp\WFV4.tmp not found!
C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\OfflineCache\index.sqlite moved successfully.
C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Velis\Local Settings\Application Data\Mozilla\Firefox\Profiles\9g6gkr72.default\XUL.mfl moved successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:03 AM, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\SafeConnect\scManager.sys
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\SafeConnect\scClient.exe
C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe
C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
C:\Program Files\Sprint\Sprint SmartView\SwiApiMuxCdma.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sprint SmartView] "C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe" -a
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdumj.exe] C:\WINDOWS\system32\kdumj.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: SafeConnect.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O17 - HKLM\System\CCS\Services\Tcpip\..\{477C2B73-7E6F-4F4D-AD17-9CDC64156B6C}: NameServer = 85.255.112.60;85.255.112.237
O17 - HKLM\System\CCS\Services\Tcpip\..\{7307E821-C1D6-4B3C-8354-1EC14CDC18DC}: NameServer = 85.255.112.60;85.255.112.237
O17 - HKLM\System\CCS\Services\Tcpip\..\{B299A1F8-A4CB-4412-9C80-FAFA23034EC3}: NameServer = 85.255.112.60;85.255.112.237
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAC7BD89-67DC-408D-B941-3603C69809E5}: NameServer = 85.255.112.60;85.255.112.237
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB356F2A-A5EF-40A5-BA55-9779F6B080E1}: NameServer = 85.255.112.60;85.255.112.237
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - C:\Program Files\SafeConnect\scManager.sys servicestart (file missing)
O23 - Service: Sprint RcAppSvc (SprintRcAppSvc) - PCTEL - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 11451 bytes
furio2k
Regular Member
 
Posts: 18
Joined: November 9th, 2008, 11:38 pm

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby Shaba » December 6th, 2008, 10:40 am

Looks like we have more infections.

Update Malwarebytes' Anti-Malware and run a full scan with it.

Post:

- Malwarebytes' Anti-Malware log
- rsit log (only log.txt will appear)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby furio2k » December 6th, 2008, 3:18 pm

Malwarebytes' Anti-Malware 1.31
Database version: 1466
Windows 5.1.2600 Service Pack 3

12/6/2008 2:05:19 PM
mbam-log-2008-12-06 (14-05-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 112801
Time elapsed: 36 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 26
Folders Infected: 3
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\homeview (Trojan.DNSChanger) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\homeview (Trojan.DNSChanger) -> No action taken.
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdumj.exe -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{477c2b73-7e6f-4f4d-ad17-9cdc64156b6c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{477c2b73-7e6f-4f4d-ad17-9cdc64156b6c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7307e821-c1d6-4b3c-8354-1ec14cdc18dc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b299a1f8-a4cb-4412-9c80-fafa23034ec3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b299a1f8-a4cb-4412-9c80-fafa23034ec3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bac7bd89-67dc-408d-b941-3603c69809e5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bac7bd89-67dc-408d-b941-3603c69809e5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cb356f2a-a5ef-40a5-ba55-9779f6b080e1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cb356f2a-a5ef-40a5-ba55-9779f6b080e1}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{477c2b73-7e6f-4f4d-ad17-9cdc64156b6c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{477c2b73-7e6f-4f4d-ad17-9cdc64156b6c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7307e821-c1d6-4b3c-8354-1ec14cdc18dc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b299a1f8-a4cb-4412-9c80-fafa23034ec3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b299a1f8-a4cb-4412-9c80-fafa23034ec3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bac7bd89-67dc-408d-b941-3603c69809e5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{bac7bd89-67dc-408d-b941-3603c69809e5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cb356f2a-a5ef-40a5-ba55-9779f6b080e1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cb356f2a-a5ef-40a5-ba55-9779f6b080e1}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{477c2b73-7e6f-4f4d-ad17-9cdc64156b6c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{477c2b73-7e6f-4f4d-ad17-9cdc64156b6c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7307e821-c1d6-4b3c-8354-1ec14cdc18dc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b299a1f8-a4cb-4412-9c80-fafa23034ec3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{b299a1f8-a4cb-4412-9c80-fafa23034ec3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{bac7bd89-67dc-408d-b941-3603c69809e5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{cb356f2a-a5ef-40a5-ba55-9779f6b080e1}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60;85.255.112.237 -> No action taken.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> No action taken.
C:\Program Files\homeview (Trojan.DNSChanger) -> No action taken.
C:\Documents and Settings\Velis\Start Menu\Programs\homeview (Trojan.DNSChanger) -> No action taken.

Files Infected:
C:\WINDOWS\system32\kdumj.exe (Rootkit.DNSChanger.H) -> No action taken.
C:\resycled\boot.com (Trojan.DNSChanger) -> No action taken.
C:\Program Files\homeview\Uninstall.exe (Trojan.DNSChanger) -> No action taken.
C:\Documents and Settings\Velis\Start Menu\Programs\homeview\Uninstall.lnk (Trojan.DNSChanger) -> No action taken.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> No action taken.

I'm having trouble with the RST program... it keeps saying Autolt Error Line-1: Error: Error parsing function call.
furio2k
Regular Member
 
Posts: 18
Joined: November 9th, 2008, 11:38 pm

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby Shaba » December 6th, 2008, 3:31 pm

Please then run this instead:

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following reports in your next reply:

DDS.txt
Attach.txt]

Tell me also if you let malwarebytes to remove what it found.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby furio2k » December 6th, 2008, 6:22 pm

DDS (Version 1.0) - NTFSx86
Run by Velis at 17:07:21.59 on Sat 12/06/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.595 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\SafeConnect\scManager.sys
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\SafeConnect\scClient.exe
C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
C:\Program Files\Sprint\Sprint SmartView\SwiApiMuxCdma.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Velis\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: System=kdumj.exe
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [TFncKy] TFncKy.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [c:\windows\system32\kdumj.exe] c:\windows\system32\kdumj.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\safeco~1.lnk - c:\program files\safeconnect\scClient.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {477C2B73-7E6F-4F4D-AD17-9CDC64156B6C} = 85.255.112.60;85.255.112.237
TCP: {7307E821-C1D6-4B3C-8354-1EC14CDC18DC} = 85.255.112.60;85.255.112.237
TCP: {B299A1F8-A4CB-4412-9C80-FAFA23034EC3} = 85.255.112.60;85.255.112.237
TCP: {BAC7BD89-67DC-408D-B941-3603C69809E5} = 85.255.112.60;85.255.112.237
TCP: {CB356F2A-A5EF-40A5-BA55-9779F6B080E1} = 85.255.112.60;85.255.112.237
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-3 207656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\mcafee\siteadvisor\McSACore.exe" [2008-10-1 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-3 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-3 144704]
R2 SCManager;SafeConnect Manager;c:\program files\safeconnect\scManager.sys servicestart []
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-3 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-3 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-3 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-3 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-3 34152]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-29 27904]

=============== Created Last 30 ================

2008-12-06 08:46 <DIR> --d----- C:\_OTMoveIt
2008-12-02 23:12 12,288 a--sh--- c:\windows\Thumbs.db
2008-11-29 20:52 590 a------- c:\windows\sglt02.exe
2008-11-29 19:46 15,360 a--sh--- c:\windows\system32\Thumbs.db
2008-11-29 19:34 <DIR> --d----- c:\program files\homeview
2008-11-29 19:34 27,904 a------- c:\windows\system32\drivers\ndisprot.sys
2008-11-29 19:34 <DIR> --dshr-- C:\resycled
2008-11-27 21:43 <DIR> --d----- c:\program files\VirusTotalUploader
2008-11-23 00:08 31,744 ac------ c:\windows\system32\dllcache\wceusbsh.sys
2008-11-23 00:08 31,744 a------- c:\windows\system32\drivers\wceusbsh.sys
2008-11-17 15:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-11-13 10:51 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-13 10:40 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 22:42 <DIR> --d----- c:\program files\Trend Micro
2008-11-09 19:37 <DIR> a-dshr-- C:\cmdcons
2008-11-09 19:32 161,792 a------- c:\windows\SWREG.exe
2008-11-09 19:32 98,816 a------- c:\windows\sed.exe
2008-11-08 05:10 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-08 05:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-08 04:11 54,156 a---h--- c:\windows\QTFont.qfn
2008-11-08 04:11 1,409 a------- c:\windows\QTFont.for
2008-11-08 03:06 <DIR> --d----- c:\docume~1\velis\applic~1\Sierra Wireless
2008-11-08 02:55 17,920 a------- c:\windows\system32\apintfnt.dll
2008-11-08 02:43 <DIR> --d----- c:\program files\Novatel Wireless
2008-11-08 02:43 <DIR> --d----- c:\program files\Sprint
2008-11-08 02:29 <DIR> --d----- c:\docume~1\velis\applic~1\Malwarebytes
2008-11-08 02:29 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-08 02:29 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-08 02:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-08 02:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 11:58 149,512 a------- c:\windows\system32\drivers\swmx00.sys
2008-10-15 11:58 222,720 a------- c:\windows\system32\drivers\NWADIenum.sys
2008-10-15 11:58 38,680 a------- c:\windows\system32\drivers\pctnullport.sys
2008-10-15 11:56 61,440 a------- c:\windows\system32\pxfhwmcp.dll
2008-10-15 11:56 32,408 a------- c:\windows\system32\PCTINDIS5.sys
2008-10-15 11:56 138,016 a------- c:\windows\system32\PCTIN50.dll
2008-09-30 17:51 85,378,264 a------- C:\BackupRegistry(20080930).reg
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 20:14 1,307,648 a------- c:\windows\system32\msxml6.dll

============= FINISH: 17:09:33.01 ===============


Malwarebytes quarantined 3 files back on November 8: C:\\WINDOWS\fmark2.dat
HKEY_CLASSESROOT\CLSID (Two Registry Keys)
You do not have the required permissions to view the files attached to this post.
furio2k
Regular Member
 
Posts: 18
Joined: November 9th, 2008, 11:38 pm

Re: Generic Downloader.x Malware I think? CLOSED?

Unread postby Shaba » December 7th, 2008, 5:42 am

I mean that did you let malwarebytes quarantine everything what it found in 12/6/2008 2:05:19 PM
mbam-log-2008-12-06 (14-05-08).txt scan?

I ask because according to your DDS log it doesn't look like so.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 49 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware