Win32:Malware-gen, DTSWIZ.EXE and asampeli.exe

[wikkid1]

Hello,
Does anyone have any info on how to rid my system of these Malware/virus files?  Avast Pro doesn't seem to be able to clean them and the virus seems to be able to propogate itself onto other files.  Any help would be very much appreciated.

Thanks

[Therese Kean]

Hi I'm a "Newbie to
and if you have a look at my posts am just coming out (hopefully) of virus alerts etc, I think I'm the next post down from you on the board.
Take a read and trust the more experianed guys that come in.Hope they and posts bring you out of it.
Regards T

[CharleyO]

***

Welcome to the forums, wikkid1.   

I would suggest that, if you have not yet done so, do a boot scan with avast to see if that will help.

If you have already done a boot scan, I would then suggest that you download SUPERAntiSpyware Free Edition (SAS) from http://www.superantispyware.com/download.html , install it, update it, run a scan with SAS, and post the resulting log here in this thread.

See the link below for information on this malware.

http://www.superantispyware.com/malwarefiles/ASAMPELI.DLL.html


for Treesgreen -

Threads (posts) will not stay in the same order but will change according to the amount of posts each thread gets. Threads that are getting more posts will move up the list while threads that are getting less posting will either stay at the same location (though on forums as active as this one, staying in the same location on the list is not likely) or it is more likely to move down the list. When a thread receives a new posting, it is moved to the top of the list and when the next thread receives a new posting, that one moves on top of the last one ... and so on. Because of this action, threads that get less postings (or no postings) will move farther and farther down the listings.


***

[wikkid1]

Hello Charley (and Treesgreen),
Thank you very much for your assistance.  I already ran a boot scan of Avast but it couldn't clean the files I mentioned, just put them in the virus chest.  I DL'ed SAS and ran a scan.  Not sure why it's not coming up with the same files that Avast did but perhaps some of the ones detected by Avast are false positives.  Here are the log results minus the tracking cookies detected by SAS:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/06/2009 at 04:37 PM

Application Version : 4.31.1000

Core Rules Database Version : 4340
Trace Rules Database Version: 2191

Scan type       : Quick Scan
Total Scan Time : 01:47:06

Memory items scanned      : 435
Memory threats detected   : 0
Registry items scanned    : 420
Registry threats detected : 0
File items scanned        : 40610
File threats detected     : 169

Trojan.Agent/Gen-ModuleR[N]
   C:\WINDOWS\SYSTEM32\MDSETE.DLL
   D:\WINDOWS\SYSTEM32\MDSETE.DLL

Trojan.Agent/Gen-SmitFraud
   D:\SYSTEM VOLUME INFORMATION\_RESTORE{678F9335-FE69-42A4-80DD-1A965FCB737D}\RP155\A0117096.DLL

[Tarq57]

wikkid1,
they might well relate to the same files, but with a different threat-naming protocol.
The file name produces few Google hits; the Prevx entry for MDSETE.DLL indicates the file was first observed Sep14 this year. So it's fairly new.
Did you have SAS quarantine all found?
If not, rescan and please do so.

System volume information can be dealt with later. Just don't use system restore, for now.

Were the other 166 items all tracking cookies?

Do you have two operating systems, or one shared on two partitions? I see the malicious file is in both the C Windows directory, and an identical directory in D.

[wikkid1]

Hi Tarq57,
Thank you for your help as well.  You guys have been invaluable in helping me out with this.

I did quarantine the items SAS found.  Shall I quarantine the tracking cookies as well?  BTW, yes they were the other 166 items found by SAS.

The D directory is a drive that mirrors my C drive.

Thanks again. 

[Tarq57]

I'd be inclined to run a full scan, also, just to be sure.
With an (apparently) new-ish malware, I'd also be looking to scan with an additional tool, link will follow if you want to do this.
How's the computer running?

[Tarq57]

Just found this. It indicates a possibility of the files being false positives, as only one scanner on the list detects it. I'm still extremely suspicious, however, as there are almost no Google hits for the file name.

[wikkid1]

I also ran Malwarebytes' Anti-Malware and this is the log from that scan.  I'm in the process of running a full SAS scan just to be sure. 

The system seems to be running fairly well but I'm still suspicious because it seems to take a long time to boot up.  It may be an install issue with iTunes I've been having because when I end any iTunes process from the task manager the system seems to stabilize.

I'll post the log from the full scan once it's done running.

Malwarebytes' Anti-Malware 1.42
Database version: 3307
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/6/2009 6:22:59 PM
mbam-log-2009-12-06 (18-22-52).txt

Scan type: Quick Scan
Objects scanned: 114408
Time elapsed: 32 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[wikkid1]

Here's the log from a full SAS scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/06/2009 at 08:44 PM

Application Version : 4.31.1000

Core Rules Database Version : 4340
Trace Rules Database Version: 2191

Scan type       : Complete Scan
Total Scan Time : 02:10:58

Memory items scanned      : 506
Memory threats detected   : 0
Registry items scanned    : 6363
Registry threats detected : 0
File items scanned        : 60013
File threats detected     : 2

Trojan.Agent/Gen-ModuleR[N]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{678F9335-FE69-42A4-80DD-1A965FCB737D}\RP156\A0117430.DLL
   D:\SYSTEM VOLUME INFORMATION\_RESTORE{678F9335-FE69-42A4-80DD-1A965FCB737D}\RP156\A0117431.DLL

[Tarq57]

Looking pretty good.
More info later, gotta dash right now, the info will involve clearing your restore poinsts, no big deal

[wikkid1]

Thanks Tarq, much appreciated. 

[YoKenny]

From Microsoft:
Clear System Restore Points for Performance
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

[Tarq57]

Thanks, YoKenny, that's it.
The linked procedure will also delete any malware that may be lurking in a restore point - the primary reason for doing this.

There is probably an option in SAS to send/submit malware to the company, it would be a good idea to do this. It's usually an option from within the quarantine of most security programs.

Tracking cookies are a relatively minor privacy issue. Unless you think you might want to keep some, might as well delete them.
Cookies can be a useful feature, such as keeping information about being logged on to a web page/personal settings etc. So there could be some, for some sites, you want to retain.

Ccleaner is a popular and useful disk cleanup utility where cookies can easily be managed and selectively cleaned/kept.

[wikkid1]

Alright now it looks like I may have another issue. When I was rebooting yesterday Avast popped up while doing a boot scan and advised that my system "may" have signs of a rootkit found when Avast did a scan using heuristic methods. I've since run another boot scan with Avast along with a thorough system scan and now it's coming up with nothing. I'm sending this from my iPhone because I'm scared to even use my system at this point. Any advice? 

Thx in advance