Infected

Greetings, My PC has Google ReDirect and a Trojan Horse, Generic 17.QXP, that my AVG says is not accessible. I have followed the Read Me procedure and have attached logs. I could not run ComboFix on this PC. Thanks

 

Welcome to MajorGeeks!

The definition database on you version of Malwarebytes is pretty far out of date. We need to update it and get a new scan log.

First though please do this.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - AutorunsDisabled - (no file)
• O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
• O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
• O9 - Extra button: (no name) - AutorunsDisabled - (no file)

After clicking Fix checked, exit HijackThis.


Open Malwarebytes' Anti-Malware.

* Click the Update tab.
* Click Check for Updates
* If an update is found, it will download and install.
* Click the Scanner tab.
* Select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



Do you know what this is?

Code:

C:\Documents and Settings\Mike DeKens\Application Data\10256.js

Also let me know what happened when you tried to run ComboFix and why you don't have an antivirus installed?

 

Thanks again.
I had to temporarily uninstall AVG to run MGtools the first time as per protocol. Re-installed immediatly. Combofix would not open, it's possible I missed something. I am not even a minor geek. Seems to be installed.
Windows cannot find: C:\Documents and Settings\Mike DeKens\Application Data\10256.js


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4770

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/7/2010 4:30:52 PM
mbam-log-2010-10-07 (16-30-52).txt

Scan type: Quick scan
Objects scanned: 152396
Time elapsed: 22 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{766ca52b-4c13-4a86-86c9-a6cd3845bf41} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{7d94fe9d-0031-4911-9d51-2a24cb88120c} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1dfc0cb0-ce09-4e94-bd01-91c2e9d2a7ca} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{766ca52b-4c13-4a86-86c9-a6cd3845bf41} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{766ca52b-4c13-4a86-86c9-a6cd3845bf41} (Password.Stealer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\s (Trojan.Script) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Mike DeKens\Application Data\12.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike DeKens\Application Data\3.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike DeKens\Local Settings\Temp\C.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike DeKens\Local Settings\Temporary Internet Files\Content.IE5\19228SR7\update[1].exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike DeKens\Local Settings\Temporary Internet Files\Content.IE5\3ASOPR60\update[1].exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike DeKens\Local Settings\Temporary Internet Files\Content.IE5\LDLF1VUH\update[1].exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike DeKens\Application Data\2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike DeKens\Application Data\jsdfgs.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike DeKens\Application Data\10256.js (Trojan.Script) -> Quarantined and deleted successfully.

 

I tried to install CombiFix again and got this error

:C:\Documents and Settings\Mike DeKens\Desktop\ComboFix.exe could not be saved, because you cannot change the contents of that folder.

Change the folder properties and try again, or try saving in a different location.

Should I save in another location?

 

I now have ComboFix on my desktop. Should I run it?

 

ComboFix started to run, then quit. I tried to download again after rebooting and I get this error:

C:\Documents and Settings\Mike DeKens\Desktop\ComboFix.exe could not be saved, because you cannot change the contents of that folder.

Change the folder properties and try again, or try saving in a different location.


What is the procedure for disabling Malwarebytes?

 

Finally got ComboFix to run. Logs attached. I have re-installed AVG.

 

Sorry for the delay. It's been a busy few days for me.


Scan Suspicious File(s)

Please go to VirusTotal.com
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy the file path in the below Code box:

Code:

c:\windows\system32\80BC0A51A4.sys

2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Next click Send File
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
5. Copy and then Paste the link to the results in the next reply.

Important! If you get a page that says 'File has already been analysed' in the results then you will need to click the 'Show last report' button to get new scan results.


Also please try to scan this file and post the link to the results.

Code:

C:\Documents and Settings\Mike DeKens\Application Data\10256.js

 

Hey, I can't complain, your help has been invaluable. What type scan were you suggesting for the second file? Windows can not find it.




VT Community Sign in ▼ My account ▼ Sign out Signing out... Languages ▼
VirusTotal's website has changed, we need new translations, do you feel like helping the community?
info@virustotal.com
Sign in to VT Community

Safety ratings and user comments (disinfection, in-the-wild locations, reverse engineering reports, etc.) on malware and URLs, free and easy.
email
password
Keep me logged in

Sign in
Signing in, please wait...
Login failed, please try again
Forgot your password? Create an account
Edit my profile
View my profile
Inbox
Virus Total
Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
80BC0A51A4.sys
Submission date:
2010-10-09 23:03:23 (UTC)
Current status:
queued (#15) queued analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.10.10.00 2010.10.09 -
AntiVir 7.10.12.167 2010.10.08 -
Antiy-AVL 2.0.3.7 2010.10.09 -
Authentium 5.2.0.5 2010.10.09 -
Avast 4.8.1351.0 2010.10.09 -
Avast5 5.0.594.0 2010.10.09 -
AVG 9.0.0.851 2010.10.10 -
BitDefender 7.2 2010.10.10 -
CAT-QuickHeal 11.00 2010.10.09 -
ClamAV 0.96.2.0-git 2010.10.09 -
Comodo 6333 2010.10.09 -
DrWeb 5.0.2.03300 2010.10.10 -
Emsisoft 5.0.0.50 2010.10.09 -
eSafe 7.0.17.0 2010.10.07 -
eTrust-Vet 36.1.7901 2010.10.08 -
F-Prot 4.6.2.117 2010.10.09 -
F-Secure 9.0.15370.0 2010.10.09 -
Fortinet 4.2.249.0 2010.10.09 -
GData 21 2010.10.10 -
Ikarus T3.1.1.90.0 2010.10.09 -
Jiangmin 13.0.900 2010.10.09 -
K7AntiVirus 9.65.2713 2010.10.09 -
Kaspersky 7.0.0.125 2010.10.09 -
McAfee 5.400.0.1158 2010.10.09 -
McAfee-GW-Edition 2010.1C 2010.10.09 -
Microsoft 1.6201 2010.10.09 -
NOD32 5518 2010.10.09 -
Norman 6.06.07 2010.10.09 -
nProtect 2010-10-09.01 2010.10.09 -
Panda 10.0.2.7 2010.10.09 -
PCTools 7.0.3.5 2010.10.09 -
Prevx 3.0 2010.10.10 -
Rising 22.68.05.00 2010.10.09 -
Sophos 4.58.0 2010.10.09 -
Sunbelt 7026 2010.10.09 -
SUPERAntiSpyware 4.40.0.1006 2010.10.09 -
Symantec 20101.2.0.161 2010.10.10 -
TheHacker 6.7.0.1.053 2010.10.09 -
TrendMicro 9.120.0.1004 2010.10.09 -
TrendMicro-HouseCall 9.120.0.1004 2010.10.10 -
VBA32 3.12.14.1 2010.10.08 -
ViRobot 2010.9.25.4060 2010.10.09 -
VirusBuster 12.67.10.0 2010.10.09 -
Additional information
Show all
MD5 : 2be21bf250422fe606b35f87cd39b11b
SHA1 : c26e173780805c903a660926acdbec5a41a61de0
SHA256: 88574856aea306db9f294d34ba436c281b63ad54b443c59f6140dcb8509d53f0
ssdeep: 3:hl/L/8pjmn:fd
File size : 88 bytes
First seen: 2010-10-09 23:03:23
Last seen : 2010-10-09 23:03:23
TrID:
MS Flight Simulator Aircraft Performance Info (100.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

VT Community

0

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

VirusTotal Team
Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?
You can add basic styles to your comments using the following accepted bbcode tags:

text -- bold
text -- italics
text -- underline
text -- strikethrough

Code:

text

-- preformatted text

You can also address comments to particular users using the "@" twitter-like mode. By prepending a "#" symbol to a word you can add custom tags to your comment, tags that can then be searched for.

Goodware
Malware
Spam attachment/link

P2P download
Propagating via IM
Network worm

Drive-by-download


Anonymous limit exceeded: anonymous users can only make one comment per file or URL, either sign in or register in order to continue making reviews on this item. Note that anonymous user discrimination is based on IP addresses, hence, it may be possible that another user behind your same proxy or NAT connection already made a review.
Preview comment Edit comment
Post comment
Posting comment...
Comment successfully posted

 

Okay. If Windows is still not finding it then it must have been removed.




Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1014020 (User 'SYSTEM')
• O4 - HKUS\.DEFAULT\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1014020 (User 'Default user')

After clicking Fix checked, exit HijackThis.





Download the Norton Removal Tool (SymNRT) to your desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

* Go to your desktop and double click on the 'Norton_Removal_Tool' and then click Setup.
* Once open Click Next
* Accept the license agreement and click Next
* Type in the letters/numbers that you see into the text box then click Next.
* Then click Next and the tool will start running.
* Once finished restart the PC.
* Delete the 'Norton_Removal_Tool' from your desktop.




Please follow the instructions for Using ESET's Online Scanner and attach the log it creates.

 

ESET fouund zero infections. Maybe we are done? I have not noticed any symptoms of virus, ect. I'm satisfied if you are. Thanks again, Peter

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
3. Go back to step 6 of the READ ME and re-nable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

Best instructional and assistance ever. Major Geek for president!

 

Thanks Romans.

Safe surfing...