Help needed with Malware Infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by Timelord, Nov 6, 2008.

  1. Timelord

    Timelord Private E-2

    Hello,

    I think I am reasonably conversant with protection measures and I have been successful (or lucky? :)) in keeping my computer free of spyware/malware so far.

    However, recently I downloaded some files (tv show from rapidshare) and while searching for it, I might have clicked one or two links in some of those forums that could have caused the infection.

    I looked first in the system32 folder before starting any cleanup activities and found two new .exes (a51-something and h-something - both 7 characters I think; hoping it is somewhat familiar to someone) and a log called nmp.log that I couldn't delete.

    Anyway, I followed the instructions in the Read Me to the letter and everything went through fine. The scans also identified the hxxxxxx.exe and supposedly fixed it but it was still there after all the scans finished (the other one went away with a simple virus scan).
    The logs from all the scans (SuperAntiSpyWare, ComboFix, MGLogs, HijackThis) are zipped and attached to this post.

    I then checked the task scheduler log in C:\ (basically checking everything that was updated in the last week) and noticed some jobs had run recently. I checked the Scheduled Tasks and this hxxxxx had set up 57-58 Tasks set up to run it at fixed intervals everyday. I deleted the Tasks and then, stopped the hxxxxx.exe process and deleted the .exe and nmp.log (but the nmp.log is back)

    At this point, I am stuck and I have disconnected my computer from the internet till I get it cleaned up.
    If one of you can go through the logs and figure out what I should do to get my computer in a clean state again, that would be great. Let me know if I need to run any other steps too.

    Thanks,
    Dilip
     

    Attached Files:

    Timelord, Nov 6, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please do not combine the logs requested into one zip file...the MGLogs.zip was corrupted.

    Please attach it to you next reply as well as the MalwareBytes log.

    In the meantime, try using windows explorer to find and delete:
    c:\windows\system32\h25XIfQM.exe
    c:\windows\system32\53d01cfv.exe
     
    TimW, Nov 7, 2008
    #2
  3. Timelord

    Timelord Private E-2

    Thanks for looking and sorry about the corrupt log files. I've attached them now separately.
     

    Attached Files:

    Timelord, Nov 7, 2008
    #3
  4. Timelord

    Timelord Private E-2

    MGLogs.zip....

    McAfee just reported that the MBAM-DOR.exe (present in the MBAM installation folder) contains a Trojan called Generic.dx and quarantined it. Is this normal and should I restore it?

    Yes, those were the 2 exes that were persisting. I can no longer find them after the scans and the manual delete of h25XIfQM.exe.
     

    Attached Files:

    Timelord, Nov 7, 2008
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    McAfee is mistaken and you can restore that file. :)

    The only thing I am seeing that is questionable is:
    C:\WINDOWS\system32\h25XIfQM.exe

    Which is what you were referring to in your original post?

    If so....download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Nov 8, 2008
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds