Jump to content

[SPLIT] jimnall

jimnall

By jimnall
in Resolved Malware Removal Logs

 Share

Recommended Posts

jimnall

jimnall

Posted
Posted

******************************************************12/03/09****************************

I downloaded and ran combofix.exe as instructed. Below is the result. MBAM did not detect the infections. FYI

ComboFix 09-12-03.02 - RevLynn 12/03/2009 16:45.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.134 [GMT -6:00]

Running from: c:\documents and settings\RevLynn\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\RevLynn\My Documents\reg-afterRebuild-12-03-09.reg

c:\recycler\S-1-5-21-1449584909-2326681697-841056466-500

c:\windows\system32\drivers\fad.sys

c:\windows\system32\msssc.dll

Infected copy of c:\windows\system32\hid.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\hid.dll

Infected copy of c:\windows\system32\midimap.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\midimap.dll

.

((((((((((((((((((((((((( Files Created from 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))))

.

2009-12-03 23:14 . 2009-12-03 23:14 67424 ----a-w- c:\documents and settings\RevLynn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-03 22:25 . 2009-12-03 22:25 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-03 19:41 . 2009-12-03 19:41 -------- d-----w- c:\windows\system32\XPSViewer

2009-12-03 19:41 . 2009-12-03 19:41 -------- d-----w- c:\program files\MSBuild

2009-12-03 19:40 . 2009-12-03 19:40 -------- d-----w- c:\program files\Reference Assemblies

2009-12-03 19:40 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2009-12-03 19:40 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-12-03 19:40 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-12-03 19:40 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2009-12-03 19:40 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-12-03 19:40 . 2009-12-03 19:40 -------- d-----w- C:\99e319f18eb581b5a7d3

2009-12-03 19:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-12-03 19:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-12-03 19:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-12-03 19:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-12-03 19:40 . 2009-12-03 20:06 -------- d-----w- c:\windows\SxsCaPendDel

2009-12-03 18:40 . 2009-12-03 18:40 -------- d-----w- c:\documents and settings\RevLynn\Local Settings\Application Data\Identities

2009-12-03 18:24 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-12-03 03:38 . 2009-12-03 03:38 -------- d-----w- c:\documents and settings\Webmaster\Local Settings\Application Data\Ahead

2009-12-03 03:38 . 2009-12-03 03:38 -------- d-----w- c:\documents and settings\Webmaster\Application Data\Nero

2009-12-03 03:06 . 2009-12-03 03:06 -------- d-----w- c:\documents and settings\RevLynn\Local Settings\Application Data\Ahead

2009-12-03 02:30 . 2009-12-03 02:30 -------- d-----w- c:\documents and settings\RevLynn\Application Data\Nero

2009-12-03 02:26 . 2009-12-03 02:29 -------- d-----w- c:\program files\Common Files\Nero

2009-12-03 02:26 . 2009-12-03 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2009-12-03 02:26 . 2009-12-03 02:26 -------- d-----w- c:\program files\Nero

2009-12-03 02:17 . 2009-12-03 02:17 -------- d-----w- c:\program files\Microsoft ActiveSync

2009-12-03 02:16 . 2009-12-03 22:02 -------- d-----w- c:\windows\ShellNew

2009-12-03 02:16 . 2009-12-03 02:16 -------- d-----w- c:\program files\Common Files\L&H

2009-12-03 02:12 . 2009-12-03 02:13 -------- d-----w- c:\program files\Common Files\Computer Helper

2009-12-03 02:11 . 2009-12-03 02:11 -------- d-----w- c:\documents and settings\RevLynn\Local Settings\Application Data\Downloaded Installations

2009-12-03 02:06 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2009-12-03 01:56 . 2009-12-03 01:57 -------- d-----w- c:\program files\Windows Media Connect 2

2009-12-03 01:54 . 2009-12-03 01:55 -------- d-----w- c:\windows\system32\drivers\UMDF

2009-12-03 01:54 . 2009-12-03 01:54 -------- d-----w- c:\windows\system32\LogFiles

2009-12-03 01:40 . 2009-12-03 01:52 -------- d-----w- c:\program files\PhoneTreeMVPu

2009-12-03 01:36 . 2009-12-03 01:36 -------- d-----w- c:\windows\Downloaded Installations

2009-12-03 01:33 . 2009-12-03 01:33 -------- d-----w- c:\documents and settings\RevLynn\Application Data\Malwarebytes

2009-12-03 01:22 . 2009-12-03 01:22 -------- d-sh--w- c:\documents and settings\RevLynn\IECompatCache

2009-12-03 01:21 . 2009-12-03 01:21 -------- d-sh--w- c:\documents and settings\RevLynn\PrivacIE

2009-12-03 01:20 . 2009-12-03 01:20 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-03 01:19 . 2009-12-03 01:19 152576 ----a-w- c:\documents and settings\RevLynn\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-12-03 01:18 . 2009-12-03 01:18 79488 ----a-w- c:\documents and settings\RevLynn\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-03 01:14 . 2009-12-03 01:14 65536 ----a-r- c:\documents and settings\RevLynn\Application Data\Microsoft\Installer\{4D8314D2-11FE-4397-A7CC-7015CFF50BCE}\PalmDesktopShortcut.exe

2009-12-03 01:14 . 2009-12-03 01:14 65536 ----a-r- c:\documents and settings\RevLynn\Application Data\Microsoft\Installer\{4D8314D2-11FE-4397-A7CC-7015CFF50BCE}\ARPPRODUCTICON.exe

2009-12-03 01:14 . 2009-12-03 01:34 -------- d-----w- c:\program files\Palm

2009-12-03 00:04 . 2009-12-03 00:06 -------- d-----w- c:\documents and settings\LYNN Saved

2009-12-03 00:04 . 2009-12-03 00:04 -------- d-----w- c:\documents and settings\LYNN Saved\Microsoft OE

2009-12-03 00:00 . 2009-12-03 00:00 -------- d-sh--w- c:\documents and settings\Webmaster\IETldCache

2009-12-02 23:56 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll

2009-12-02 23:56 . 2009-12-02 23:56 -------- d-----w- c:\windows\ie8updates

2009-12-02 23:55 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-12-02 23:55 . 2009-08-29 08:08 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll

2009-12-02 23:55 . 2009-08-29 08:08 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-12-02 23:55 . 2009-08-29 08:08 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll

2009-12-02 23:55 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-12-02 23:55 . 2009-08-29 08:08 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll

2009-12-02 23:54 . 2009-12-02 23:55 -------- dc-h--w- c:\windows\ie8

2009-12-02 21:24 . 2009-12-02 21:24 13104 ----a-w- c:\documents and settings\Webmaster\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-02 21:17 . 2009-12-02 21:17 -------- d-----w- c:\windows\system32\scripting

2009-12-02 21:17 . 2009-12-02 21:17 -------- d-----w- c:\windows\l2schemas

2009-12-02 21:17 . 2009-12-02 21:17 -------- d-----w- c:\windows\system32\en

2009-12-02 21:17 . 2009-12-02 21:17 -------- d-----w- c:\windows\system32\bits

2009-12-02 21:16 . 2009-12-02 21:16 -------- d-----w- c:\windows\ServicePackFiles

2009-12-02 21:08 . 2004-08-04 05:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys

2009-12-02 21:07 . 2009-12-02 21:07 -------- d-----w- c:\documents and settings\Webmaster\Application Data\Malwarebytes

2009-12-02 21:06 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-02 21:06 . 2009-12-03 22:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-02 21:06 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-02 21:06 . 2009-12-02 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-02 17:04 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-12-02 16:58 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys

2009-12-02 16:58 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2009-12-02 16:58 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys

2009-12-02 16:58 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll

2009-12-02 16:58 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-12-02 16:58 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll

2009-12-02 16:55 . 2004-08-04 04:41 11868 ------w- c:\windows\system32\drivers\mdmxsdk.sys

2009-12-02 16:55 . 2004-08-04 04:41 1041536 ------w- c:\windows\system32\drivers\hsfdpsp2.sys

2009-12-02 16:55 . 2004-08-04 04:41 685056 ------w- c:\windows\system32\drivers\hsfcxts2.sys

2009-12-02 16:55 . 2004-08-04 04:41 220032 ------w- c:\windows\system32\drivers\hsfbs2s2.sys

2009-12-02 16:45 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll

2009-12-02 16:45 . 2009-07-31 04:35 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll

2009-12-02 16:45 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-12-02 16:45 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe

2009-12-02 16:44 . 2009-12-02 16:44 -------- d-s---w- c:\documents and settings\Webmaster\UserData

2009-12-02 16:42 . 2009-01-08 00:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe

2009-12-02 16:42 . 2009-12-02 23:59 -------- d--h--w- c:\windows\$hf_mig$

2009-12-02 16:34 . 2003-03-11 11:09 155648 ----a-w- c:\windows\system32\igfxres.dll

2009-12-02 16:32 . 2009-12-02 16:32 -------- d-----w- c:\program files\Program Shortcuts

2009-12-02 16:18 . 2004-05-25 11:04 192 ----a-w- c:\windows\logoffper2.reg

2009-12-02 16:18 . 2004-05-25 11:04 278 ----a-w- c:\windows\logonper2.reg

2009-12-02 16:17 . 1998-10-30 00:45 306688 ----a-w- c:\windows\IsUninst.exe

2009-12-02 16:16 . 2002-05-28 20:11 4605 ----a-w- c:\windows\system32\dllcache\oembios.dat

2009-12-02 16:16 . 2002-05-28 20:11 13107200 ----a-w- c:\windows\system32\dllcache\oembios.bin

2009-12-02 16:16 . 2009-12-02 16:17 -------- d-----w- c:\program files\Compaq

2009-12-02 16:16 . 2009-12-02 16:16 -------- d-----w- c:\program files\PDF Complete

2009-12-02 16:16 . 2003-05-16 13:49 20569 ----a-w- c:\windows\system32\pxc25pm.dll

2009-12-02 16:14 . 2009-12-02 16:14 -------- d-----w- C:\cpqs

2009-12-02 16:14 . 2002-11-21 18:57 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll

2009-12-02 16:14 . 2002-11-21 18:57 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll

2009-12-02 16:14 . 2002-11-21 18:57 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll

2009-12-02 16:14 . 2002-11-21 18:57 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll

2009-12-02 16:14 . 2002-11-21 18:57 188416 ----a-w- c:\windows\system32\IVIresizePX.dll

2009-12-02 16:14 . 2002-11-21 18:57 20480 ----a-w- c:\windows\system32\IVIresize.dll

2009-12-02 16:14 . 2009-12-02 16:14 -------- d-----w- c:\program files\InterVideo

2009-12-02 16:14 . 2009-12-02 16:14 -------- d-----w- c:\program files\Altiris

2009-12-02 16:12 . 2009-12-03 01:19 -------- d-----w- c:\program files\Java

2009-12-02 16:12 . 2009-12-02 16:12 -------- d-----w- c:\program files\Common Files\Java

2009-12-02 16:11 . 2009-12-02 16:11 -------- d-----w- c:\windows\system32\URTTemp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-03 01:14 . 2009-12-02 16:13 -------- d-----w- c:\program files\Common Files\InstallShield

2009-12-02 21:19 . 2004-08-09 20:32 86843 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-12-02 16:17 . 2009-12-02 16:17 1588 --sha-r- c:\windows\system32\drivers\103C_HP_BPC_HP dc5000 uT(DZ216AV)_YB_0CBD_Q2UA547_EU_46_I090Ch_SHP_V_B786B0 v1.00_T040212_WXP2_L409_M504_J80_7Intel_8Pentium 4_92.99_#091202_N14E41696_(DZ216AV)_X_CD7_Z_2_G80862572_OHL-DT-ST RW DVD GCC-4482B.MRK

2009-12-02 16:14 . 2009-12-02 16:13 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-12-02 16:13 . 2009-12-02 16:13 -------- d-----w- c:\program files\Analog Devices

2009-12-02 15:05 . 2009-12-02 15:05 -------- d-----w- c:\program files\microsoft frontpage

2009-09-25 05:37 . 2009-09-25 05:37 81920 ------w- c:\windows\system32\ieencode.dll

2009-09-11 14:18 . 2004-08-04 07:56 136192 ----a-w- c:\windows\system32\msv1_0.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]

@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"

[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]

2008-07-10 14:23 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe ASO-616B5711-6DAE-4795-A05F-39A1E5104020" [X]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-03-11 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-03-11 114688]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-03 149280]

"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]

"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]

"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2003-06-06 167936]

"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]

"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2008-07-10 2049320]

"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2008-07-10 1083176]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-03 429392]

c:\documents and settings\RevLynn\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-9-25 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-12-2 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Palm\\HOTSYNC.EXE"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/2/2009 3:06 PM 276816]

R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [7/10/2008 8:23 AM 53032]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/2/2009 3:06 PM 19160]

.

Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Webmaster.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-12-02 22:14]

2009-12-02 c:\windows\Tasks\Malwarebytes' Scheduled Update for Webmaster.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-12-02 22:14]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.umckc.org/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-03 17:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3548)

c:\windows\system32\WININET.dll

c:\program files\Nero\Nero8\InCD\NBHShx.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\program files\Nero\Nero8\InCD\NBHStr.dll

c:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Nero\Nero8\InCD\InCDsrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

c:\program files\PDF Complete\pdfsaver.exe

c:\program files\Common Files\Nero\Lib\NMIndexingService.exe

.

**************************************************************************

.

Completion time: 2009-12-03 17:19 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-03 23:19

Pre-Run: 57,366,712,320 bytes free

Post-Run: 57,360,220,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E28AD910FA038D0EE7E4E4A4DA926478

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

@jimnall

You posted a reply into another member's malware-removal topic. That is not a proper way of posting your issues.

Do tell us what your issues are?

Why you had run Combofix on your own?

Combofix is NOT to be used without guided expert help.

If you have a malware issue and need guided help, then see this topic http://www.malwarebytes.org/forums/index.php?showtopic=9573

and

reply back with copy of the MBAM log

DDS.txt log

and the Gmer log

Then wait until an authorized helper replies.

Link to post
Share on other sites
  • 2 weeks later...
jimnall

jimnall

Posted
  • Author
Posted
Hello Jimnall,

Do you still need help? or have you resolved all issues?

Maurice....sorry if i'm using this post incorrectly, but yes I do need help.

The computers involved have been infected with the fuefue.exe malware. Windows explorer can't see the fuefue files but under some circumstances the Nero CD/DVD burn program can see them.

What is the best way to remove fuefue?

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello jimnall,

Let's have you do the following.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

Step 4

Using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

Step 5

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

eusa_hand.gifIf one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

  • the contents of ESET scan log
  • the contents of Log.txt
  • the contents of Info.txt
  • the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.