Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Soglueda.A infection - Windows XP

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 19th, 2011, 11:58 pm

Good day crazyfire,

Please copy these instructions for ease of reference.
Ensure the USB drive is attached, this is important; it isn't as simple as just delete as you've seen, it will recreate the file. We have to get the bad files all at once, as the infection is a worm. Do not remove the USB until the CFScript is done please.

Backup with ERUNT

  • Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
  • Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  • Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  • Now click on "OK". A registry backup has now been created.



--------------------------------------------------------------------

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
        KILLALL::
        FCopy::
        C:\windows\system32\dllcache\services.exe | c:\windows\system32\services.exe
        File::
        C:\windows\system32\winm.dll
        E:\dllrun.exe
        Registry::
        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
        "5985:TCP"=-
        

  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!

  5. When finished ComboFix will create a log file... you can save this file to a convenient place.

Post Instructions - Use attach please
Please use the Upload Attachment at bottom of reply screen and attach the ComboFix log file ,
NOT copy/paste in your next reply.

Post in the reply window with how the computer is doing now please.
Thank you

turtledove
Edit: Edit at top off post, to clarify.
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California
Advertisement
Register to Remove

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 20th, 2011, 9:40 pm

I will do that right now, I just need to copy the script.
what about "services.exe " and " .cmd"?
When I run the script, I will also sort System32 by date, and look at the ones by .cmd, as this worm seems to be using one specific date.
I assume you don't need the screenshots of "services.exe" and "services.exe "
Be back when CF is done.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 20th, 2011, 10:14 pm

Current Date is 01/20/11. ComboFix has expired. Press yes to run in REDUCED FUNCTIONALITY mode. No to exit.
What should I do?
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 20th, 2011, 10:15 pm

On a side note, what/who is sUBs?
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 21st, 2011, 1:14 am

Hi crazyfirex,

Please delete ONLY ComboFix.exe
Next, Download ComboFix from one of these locations:

Link 1
Link 2

Place it on the computer we're working on on the desktop.
Run the above instructions as written, do not rearrange anything in the log please. Remember to attach log, describe how the pc is working in the reply window.
sUBs is the program author. The files will be taken care of.

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 21st, 2011, 11:35 pm

I need to copy the log back to a clean computer (posting from my phone), but it failed to delete " .cmd" and "winm.dll"
It seems FCopy was unsuccessful, as services.exe is still 347 KBm

I noticed it was trying to delete a.cmd (with an accent over the a)

I can no longer find the bogus svchost.exe
odd...
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 22nd, 2011, 12:06 am

Good evening,

Thanks for the note. What I need to know may only show in the attached log. We'll see. Did you leave the USB in as well while CF ran?

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 22nd, 2011, 12:12 am

I did leave it in, that was the one successful deletion.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 22nd, 2011, 12:32 am

Good evening crazyfire,

Good to know. Please let me know when you can attach the log, and how the system is behaving. I'd leave the USB in each time CF runs.
Once I see the attached log, I may consult my colleague to see what's up depending on what we see or not.

TD
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 23rd, 2011, 11:29 am

Here is the log.
You do not have the required permissions to view the files attached to this post.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 23rd, 2011, 9:16 pm

Good evening crazyfox,

Thank you for the log. Will look into everything again and be back asap.
Thank you for the patience while doing this.
:)
turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 24th, 2011, 12:56 am

Good day crazyfirex,

Please try the following:

Download after filing in the information for the Trial, then transfer to this computer.
ESET 30 Day Trial from here:
http://www.eset.com/download/free-trial/nod32-antivirus
Before the scan:
If there is an option to clean or not please uncheck Clean. I want to see what gets picked up or not.
If it runs, post the log. If not, let me know.
We may run it a second time if it shows what we're looking for and go from there.
If not we may need to take a different route.

Thanks,

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » January 25th, 2011, 6:05 pm

ESET was not made for forum logs, but I did my best (it took some searching)

Here are a few different logs.

Full computer scan

Scan Log
Version of virus signature database: 5592 (20101104)
Date: 1/24/2011 Time: 9:17:04 PM
Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\
C:\WINDOWS\system32\services.exe - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - unable to clean
C:\pagefile.sys - error opening [4]
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\locationbar2@design-noir.de\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\longurlplease@darragh.curran\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\omnibar@ajitk.com\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\pagezipper@printwhatyoulike.com\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\smarterwiki@wikiatic.com\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\tineye@ideeinc.com\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\webnotestoolbar@webnotes.net\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\yetanothersmoothscrolling@kataho\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\{bed1bcec-57d3-47e1-a32b-b4e5f3003019}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\{bfe3406c-6f31-4789-86d5-efa50e12c9eb}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8yl4eucn.default\extensions\{f8b811fa-75a4-41f7-8fdd-376a02a29aa6}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Sun\Java\jre1.6.0_23\Data1.cab » CAB » core.zip » ZIP » lib/deploy/ffjcext.zip » ZIP » {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Sun\Java\jre1.6.0_23\Data1.cab » CAB » core.zip » ZIP » lib/deploy/jqs/ff/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Sun\Java\jre1.6.0_23\Data1.cab » CAB » core.zip » ZIP » lib/resources.jar » ZIP » com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Sun\Java\jre1.6.0_23\Data1.cab » CAB » core.zip » ZIP » lib/resources.jar » ZIP » com/sun/xml/internal/fastinfoset/resources/ResourceBundle.properties » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Application Data\Sun\Java\jre1.6.0_23\Data1.cab » CAB » core.zip » ZIP » lib/resources.jar » ZIP » javax/xml/bind/Messages.properties » MIME - is OK (internal scanning not performed)
C:\Documents and Settings\User\Local Settings\Application Data\Identities\{33931DD3-A732-4412-AD16-19AC05E0535B}\Microsoft\Outlook Express\Inbox.dbx » DBX - is OK (internal scanning not performed)
C:\Documents and Settings\User\My Documents\Downloads\unconfirmed 2153.crdownload » NSIS - archive damaged
C:\Documents and Settings\User\My Documents\Downloads\setups\ake_100b2_setup.exe » NSIS - bad archive
C:\Documents and Settings\User\My Documents\Downloads\setups\Binedit.zip » ZIP » Binedit.exe - probably a variant of Win32/Agent.HGIIQZD trojan
C:\Documents and Settings\User\My Documents\Downloads\setups\Binedit\Binedit.exe - probably a variant of Win32/Agent.HGIIQZD trojan - cleaned by deleting - quarantined [1]
C:\Program Files\7-Zip\Uninstall.exe » NSIS - incorrect CRC checksum, the file may be damaged
C:\Program Files\Accent Keyword Extractor\Uninst.exe » NSIS - bad archive
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht1 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht2 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht11 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht21 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht5 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht6 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht7 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht8 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht9 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht01 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht12 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht13 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht14 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht15 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht16 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht17 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht18 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht19 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht20 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht3 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht22 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht23 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht10 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\LS_HSI.msi » MSI » Data1.cab » CAB » getting_started.mht4 » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\ara\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\chs\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\cht\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\csy\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\dan\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\deu\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\ell\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\enu\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\esn\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\fin\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\fra\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\heb\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\ita\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\jpn\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\kor\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\nld\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\nor\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\plk\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\ptb\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\ptg\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\rus\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\sky\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\sve\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Common Files\LightScribe\Content\trk\Getting Started.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\resources.jar » ZIP » com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\resources.jar » ZIP » com/sun/xml/internal/fastinfoset/resources/ResourceBundle.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\resources.jar » ZIP » javax/xml/bind/Messages.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\deploy\ffjcext.zip » ZIP » {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\deploy\jqs\ff\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\comm.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\pippki.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Qoobox\Quarantine\C\WINDOWS\system32\_winm_.dll.zip » ZIP » winm.dll - probably a variant of Win32/Spy.KeyLogger.ICJFNME trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_winm_.dll.zip » ZIP » winm.dll.1 - probably a variant of Win32/Spy.KeyLogger.ICJFNME trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_winm_.dll.zip » ZIP » winm.dll.3 - probably a variant of Win32/Spy.KeyLogger.ICJFNME trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_ _.cmd.zip » ZIP »  .cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_ _.cmd.zip » ZIP »  .cmd.1 - probably a variant of Win32/Spy.Agent.MPBWYQU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_ _.cmd.zip » ZIP »  .cmd.3 - probably a variant of Win32/Spy.Agent.MPBWYQU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_ _.cmd.zip » ZIP »  .cmd.4 - probably a variant of Win32/Spy.Agent.MPBWYQU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_ _.cmd.zip » ZIP »  .cmd.6 - probably a variant of Win32/Spy.Agent.MPBWYQU trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\_ _.cmd.zip » ZIP »  .cmd.7 - probably a variant of Win32/Spy.Agent.MPBWYQU trojan
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP103\A0014506.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP105\A0014684.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP105\A0014687.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP105\A0015687.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP105\A0015690.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP106\A0016690.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP106\A0017690.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP107\A0017803.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP107\A0017806.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP109\A0017857.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP109\A0017908.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP109\A0017940.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP111\A0017953.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP111\A0017979.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP113\A0018979.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP114\A0019021.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP116\A0019048.msi » MSI » KAVKIS11.cab » CAB » AntiBanner_chrome.manifest » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP116\A0019048.msi » MSI » KAVKIS11.cab » CAB » THBExt_2_x_chrome.manifest » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP116\A0019048.msi » MSI » KAVKIS11.cab » CAB » THBExt_3_1_x_chrome.manifest » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP116\A0019048.msi » MSI » KAVKIS11.cab » CAB » WebToolBar_chrome.manifest » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP116\A0019064.exe - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP117\A0019066.manifest » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP117\A0019101.msi » MSI » KAVKIS11.cab » CAB » AntiBanner_chrome.manifest » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP117\A0019101.msi » MSI » KAVKIS11.cab » CAB » THBExt_2_x_chrome.manifest » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP117\A0019101.msi » MSI » KAVKIS11.cab » CAB » THBExt_3_1_x_chrome.manifest » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP117\A0019101.msi » MSI » KAVKIS11.cab » CAB » WebToolBar_chrome.manifest » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP117\A0019135.rbf » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP117\A0019137.rbf » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP117\A0019962.rbf » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP117\A0019963.rbf » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP119\A0019999.manifest » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP119\A0020100.rbf » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP120\A0020149.dll - probably a variant of Win32/Spy.KeyLogger.ICJFNME trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP120\A0020150.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP121\A0020228.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP126\A0020665.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP127\A0020763.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP75\A0013071.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP76\A0013092.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP80\A0013172.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP81\A0013209.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP84\A0013263.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP86\A0013312.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP95\A0014312.cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting - quarantined [1]
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP96\A0014470.manifest » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP96\A0014471.manifest » MIME - is OK (internal scanning not performed)
C:\System Volume Information\_restore{BD207D33-211A-4A63-96DE-7411A5BA8B07}\RP96\A0014487.manifest » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\403e7.msi » MSI » ISSetupFile.SetupFile13 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\403e7.msi » MSI » ISSetupFile.SetupFile10 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\403eb.msi » MSI » ISSetupFile.SetupFile33 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\403eb.msi » MSI » ISSetupFile.SetupFile37 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\403f5.msi » MSI » ISSetupFile.SetupFile22 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\403f5.msi » MSI » ISSetupFile.SetupFile25 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\403fe.msi » MSI » ISSetupFile.SetupFile11 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\403fe.msi » MSI » ISSetupFile.SetupFile13 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\40402.msi » MSI » ISSetupFile.SetupFile15 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\40402.msi » MSI » ISSetupFile.SetupFile16 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\40406.msi » MSI » ISSetupFile.SetupFile13 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\40406.msi » MSI » ISSetupFile.SetupFile14 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\4040d.msi » MSI » ISSetupFile.SetupFile7 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\4040d.msi » MSI » ISSetupFile.SetupFile10 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\$PatchCache$\Managed\26DDC2EC4210AC63483DF9D4FCC5B59D\3.5.30729\Chrome_manifest.3643236F_FC70_11D3_A536_0090278A1BB8 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\WINDOWS\system32\services.exe - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - unable to clean
C:\WINDOWS\system32\ .cmd - probably a variant of Win32/Spy.Agent.MPBWYQU trojan - cleaned by deleting (after the next restart) [1,2]
Number of scanned objects: 122684
Number of threats found: 43
Number of cleaned objects: 31
Time of completion: 9:58:51 PM Total scanning time: 2507 sec (00:41:47)

Notes:
[1] Object has been deleted as it only contained the virus body.
[2] Object is in use (open or running). A system restart is required for the cleaning to complete.
[4] Object cannot be opened. It may be in use by another application or operating system.
EOF


Scan of E:\ (flash drive)

Scan Log
Version of virus signature database: 5592 (20101104)
Date: 1/24/2011 Time: 10:07:04 PM
Scanned disks, folders and files: E:\Boot sector;E:\
E:\dllrun.exe - probably a variant of Win32/Spy.Agent.MPBWYQU trojan
E:\Qoobox\Quarantine\E\dllrun.exe.vir - probably a variant of Win32/Spy.Agent.MPBWYQU trojan
Number of scanned objects: 10075
Number of threats found: 2
Number of cleaned objects: 0
Time of completion: 10:15:43 PM Total scanning time: 519 sec (00:08:39)
EOF


I also have a scan of C:\Windows. I hope I managed to find all of the options to not clean the system, but it does startup scans without that option. Once again, it is not primarily a diagnostic tool. qooBox is kasperskey's quarantine, I attempted to use their free trial, but it does not work offline.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 26th, 2011, 12:05 am

Good evening crazyfirex,

Thank you for the logs. I'll go through and see what is best to do next. Be back as soon as possible.

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » January 26th, 2011, 3:53 pm

Good day crazyfirex,

Please do the following

**Note: do NOT delete anything on your own, and NO rearranging please**
SystemLook
Insert USB if it is not please
Please re run SystemLook It should still be on your Desktop. Links if needed:
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
        :filefind
        svchost.ex*
        winm.dl*
        


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

**Be patient, it may take some time to scan**

Post
SystemLook.txt

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware