Author Topic: Help me clean up win 32 malware-gen. (c:\windows\temp\****\setup.exe)  (Read 3106 times)

Offline Blackpig

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
I've done the first step by MBAM, and here is the log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6514

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/5/2011 9:55:39 AM
mbam-log-2011-05-05 (09-55-39).txt

Scan type: Quick scan
Objects scanned: 186358
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Value: idln2 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Value: bk -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegistryMonitor1 (Trojan.Agent) -> Value: RegistryMonitor1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\RegistryMonitor2 (Malware.Trace) -> Value: RegistryMonitor2 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\Admin\application data\shoppingreport2 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs\db (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs\dwld (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs\report (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs\res1 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\program files\resultbar (Adware.ResultBar) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\mom and auntie yao\local settings\temp\{1bb22d38-a411-4b13-a746-c2a4f4ec7344}\searchguardplus.exe (PUP.Fbsearch) -> Quarantined and deleted successfully.
c:\documents and settings\mom and auntie yao\local settings\temp\{1bb22d38-a411-4b13-a746-c2a4f4ec7344}\update.exe (PUP.Fbsearch) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\temporary internet files\Content.IE5\RMDZ36RR\TFC[1].exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\userinitxx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\resultbar\resultbar(2).exe (Adware.ResultBar) -> Quarantined and deleted successfully.




What should I do next?

Offline Blackpig

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Actually, it win 32 dropper-gen not malware-gen. sorry for that.
« Last Edit: May 05, 2011, 05:37:14 PM by Blackpig »

Offline magna86

  • Anti Malware Fighter
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 3245
  • Gender: Male
    • Ambulanta MyCity Forum - ASAP Member
    • Personal Message (Offline)
Hi. Let's see if there are any remains...

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

    * When done, DDS will open two (2) logs:
         1. DDS.txt
         2. Attach.txt

Save both reports to your desktop. Attach DDS.txt back to topic.

Offline Blackpig

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Thank you a lot! Here they are!

Offline magna86

  • Anti Malware Fighter
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 3245
  • Gender: Male
    • Ambulanta MyCity Forum - ASAP Member
    • Personal Message (Offline)

Ok. Except a couple of adware you have not active malware on your system.

 
--> The first thing you need to do is to install the latest version of avast antivirus.
The current version that you may download for free is avast 6.0.1091.


--> Next ...
Start >> Control Panel >> Add or Remove Programs

Uninstall:

Fast Browser Search Toolbar
Productivity 2.2 Toolbar:
Conduit Engine:
&Windows Live Toolbar:

--> Next...
Download CCleaner from here:
http://www.piriform.com/ccleaner

Run Registry & Cleaner tool. Also disable your unnecessary startup.
Tools >> Sturtup >> select unnecessery program >> disable

Do not disable these entries:
avast
ctfmon.exe

Disable all but left these if you have the habit to use them all.
MsnMsgr
MSMSGS
uTorrent
skype
USB Antivirus
log me in
FixCamera


Download & Run/use Wise Registry Cleaner & Puran Disc Defragmenter

http://www.wisecleaner.com/wiseregistrycleanerfree.html
http://www.puransoftware.com/Puran-Defrag-Download.html


abaut USB Antivirus.
I recommendet to you to uninstall this softwere and use MCShield for prevent infections via USB-s.

http://amf.mycity.rs/programs/mc/mcshield/index.html

Offline Blackpig

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
I can't access add & remove program, though other items in control panel is still OK. Moreover, avast shows that it keep blocking redirect to two malicious sites. Plus, I can't use google chrome. Is my problem really solved?

Offline Zyndstoff (aka Steven Gail)

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2621
  • Gender: Male
  • I can resist anything except temptation.
    • tex62
    • Personal Message (Offline)
Download aswMBR from here: Click! ( 511KB ) to your desktop.
 
Double click the aswMBR on the desktop to run it
 
Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply
« Last Edit: May 05, 2011, 08:10:42 PM by Zyndstoff (aka Steven Gail) »
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Blackpig

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Thank you very much. Below is the log

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-05 14:35:14
-----------------------------
14:35:14.843    OS Version: Windows 5.1.2600 Service Pack 3
14:35:14.843    Number of processors: 2 586 0x170A
14:35:14.843    ComputerName: DG83K22S  UserName: Admin
14:35:15.562    Initialize success
14:35:17.500    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:35:17.500    Disk 0 Vendor: WDC_WD16 11.0 Size: 152627MB BusType: 3
14:35:17.515    Disk 0 MBR read successfully
14:35:17.515    Disk 0 MBR scan
14:35:17.531    Disk 0 TDL4@MBR code has been found
14:35:17.531    Disk 0 MBR hidden
14:35:17.531    Disk 0 MBR [TDL4]  **ROOTKIT**
14:35:17.546    Disk 0 trace - called modules:
14:35:17.546    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89920730]<<
14:35:17.562    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a29c868]
14:35:17.578    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8a2e9650]
14:35:17.578    \Driver\iaStor[0x8a356298] -> IRP_MJ_CREATE -> 0x89920730
14:35:17.593    Scan finished successfully
14:35:38.875    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Admin\Desktop\MBR.dat"
14:35:38.890    The log file has been saved successfully to "C:\Documents and Settings\Admin\Desktop\aswMBR.txt"

Offline Blackpig

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
I've pushed the button "FixMBR" and the below is the new log. Have the problem been solved?

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-05 14:42:06
-----------------------------
14:42:06.140    OS Version: Windows 5.1.2600 Service Pack 3
14:42:06.140    Number of processors: 2 586 0x170A
14:42:06.156    ComputerName: DG83K22S  UserName: Admin
14:42:06.875    Initialize success
14:42:08.343    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:42:08.343    Disk 0 Vendor: WDC_WD16 11.0 Size: 152627MB BusType: 3
14:42:08.375    Disk 0 MBR read successfully
14:42:08.375    Disk 0 MBR scan
14:42:08.390    Disk 0 unknown MBR code
14:42:08.390    Disk 0 scanning sectors +312576705
14:42:08.437    Disk 0 scanning C:\WINDOWS\system32\drivers
14:42:13.328    Service scanning
14:42:16.046    Disk 0 trace - called modules:
14:42:16.093    ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
14:42:16.093    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5aeab8]
14:42:16.109    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a5af028]
14:42:16.109    Scan finished successfully
14:42:31.781    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Admin\Desktop\MBR.dat"
14:42:31.796    The log file has been saved successfully to "C:\Documents and Settings\Admin\Desktop\aswMBR1.txt"

Offline Blackpig

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
It "seems" like my comp run normally again. A big hand to both magna 68 and Zyndstoff (aka Steven Gail). Please let me know if I have additional step to finish.

Offline Zyndstoff (aka Steven Gail)

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2621
  • Gender: Male
  • I can resist anything except temptation.
    • tex62
    • Personal Message (Offline)
Well, as a matter of fact, "FixMBR" was the wrong button...

If this solved problem you're lucky. If the problem comes back, please come back here again.

It's always a good idea to wait for instructions when you are using an unknown tool...  ;D

Please rerun MBAM (update it via GUI update tab) and have it remove everything it finds.

Cheers
Zyndstoff
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1332
  • Gender: Male
    • Personal Message (Offline)
Hmm, strange that DDS did not show rootkit

Offline Zyndstoff (aka Steven Gail)

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2621
  • Gender: Male
  • I can resist anything except temptation.
    • tex62
    • Personal Message (Offline)
Hmm, strange that DDS did not show rootkit

TDL4 is rather tricky...
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1332
  • Gender: Male
    • Personal Message (Offline)
Yes, but the DDS would have to recognize it

Quote
Moreover, avast shows that it keep blocking redirect to two malicious sites. Plus, I can't use google chrome. Is my problem really solved?

@Zyndstoff (aka Steven Gail)

You knew about this or... 'by heart  ;D

Offline Zyndstoff (aka Steven Gail)

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2621
  • Gender: Male
  • I can resist anything except temptation.
    • tex62
    • Personal Message (Offline)
Yes, but the DDS would have to recognize it

Obviously, it didn't...

You knew about this or... 'by heart  ;D

Nope, but there have been more cases in the last days where some tools did not find anything, the symptoms were blocked URLs even without any browser running...

Besides that, I'm a wizard.  ;D
« Last Edit: May 06, 2011, 06:06:16 AM by Zyndstoff (aka Steven Gail) »
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now