Another Malware problem with address: 62.122.73.203

Viruses and worms
1

Hi, uhm, I also got this an hour ago or so, and I tried the fix, but unfortunately, it didn’t work for me.

If it’s any help, I will note that I only downloaded OTS, and the MalwareBytes Anti-Malware.

I have the logs from my most recent try (I’ve tried twice as of this post). As should be obvious, I’m also a complete newbie, and I ask that you be patient with me, if I am doing something wrong.

2

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs HERE in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )
save OTS log as ANSI and not unicode

Essexboy will look at the log`s when he arrives here later today

3

Hi it looks like you ran a fix… Be aware each fix is specific to the machine it is crafted for - no two infections are the same. If you could run the OTS scan I will have a look see

4

Ah, so that’s why. In that case, here is the log from the OTS scan.

5

OK lets run this small fix first and then checkout your MBR

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (cfjhunokhwq) cfjhunokhwq [Disabled | Stopped] -> 
[Files/Folders - Created Within 30 Days]
NY ->  PyFFI -> C:\Program Files\PyFFI
[Files/Folders - Modified Within 30 Days]
NY ->  acovcnt.exe -> C:\Windows\System32\acovcnt.exe
[Files - No Company Name]
NY ->  str.sys -> C:\Windows\System32\drivers\str.sys
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

THEN

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

6

Uhm, maybe it’s a problem, but I’m not sure, so, it said that the fix was successfully done, etc, and when I rebooted the system, and came back on, a notepad didn’t appear, which I found was weird. But anyway, I tried to continue to the next step, and I do have the log for the aswMBR. I didn’t retry the OTS thing because I was worried that something might go wrong if I do so after doing the aswMBR. If it’s okay for me to redo the OTS and see if a notepad log will come out this time, please say so, and I will do it right away.

7

If you re-start the OTS programme it will probably reappear

What problems do you have at the moment

8

I tried it and no, it didn’t appear.

And the problems - well, I was able to figure out how to stop the warning message from constantly appearing about a couple of days ago, before I applied the fix, if that’s what you were asking. However, I don’t think that’s the end of the problem, until it’s removed. So I tried the fix yesterday, and, well, then I reported here with my previous post.

9

I don’t know if it’s right to post here but I’m doing it because I have a similar problem. I put below the logs created by aswBR, OTS and MBAM. MBAM’s one is the first log created, because now it says that there aren’t any malwares even if Avast continues to show me the pop-up.
Thanks.

10

Could you post a fresh log please - use the same parameters

leeeo

Your own thread would have made it easier. The USB drives you are using are infected so I would recommend that you reformat them

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Processes - Safe List]
YY -> datf914.tmp.exe -> C:\Users\leo\AppData\Local\Temp\DATF914.tmp.exe
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> ${URL_SEARCHPAGE}
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1274483223-589487040-1080087786-1000\] > -> 
YN -> HKEY_USERS\S-1-5-21-1274483223-589487040-1080087786-1000\: Main\\"Search Page" -> ${URL_SEARCHPAGE}
< Run [HKEY_USERS\S-1-5-21-1274483223-589487040-1080087786-1000\] > -> HKEY_USERS\S-1-5-21-1274483223-589487040-1080087786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "DATF914.tmp.exe" -> C:\Users\leo\AppData\Local\Temp\DATF914.tmp.exe [C:\Users\leo\AppData\Local\Temp\DATF914.tmp.exe]
YN -> "EA Core" -> ["C:\Program Files\Electronic Arts\EADM\Core.exe" -silent]
YN -> "PoService" -> []
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{1d49a5fe-a8fe-11de-bf95-002421102ca3} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1d49a5fe-a8fe-11de-bf95-002421102ca3}\shell\AutoRun\command -> 
YN -> \{1d49a5fe-a8fe-11de-bf95-002421102ca3}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe]
YN -> \{1d49a5fe-a8fe-11de-bf95-002421102ca3} -> 
YN -> \{516eb82e-2061-11df-855e-002421102ca3} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{516eb82e-2061-11df-855e-002421102ca3}\shell\AutoRun\command -> 
YN -> \{516eb82e-2061-11df-855e-002421102ca3}\shell\AutoRun\command\\"" -> [ysep1.exe]
YN -> \{516eb82e-2061-11df-855e-002421102ca3} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{516eb82e-2061-11df-855e-002421102ca3}\shell\open\Command -> 
YN -> \{516eb82e-2061-11df-855e-002421102ca3}\shell\open\Command\\"" -> [ysep1.exe]
YN -> \{e0aa3b3f-b675-11de-9f8e-002421102ca3} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e0aa3b3f-b675-11de-9f8e-002421102ca3}\shell\AutoRun\command -> 
YN -> \{e0aa3b3f-b675-11de-9f8e-002421102ca3}\shell\AutoRun\command\\"" -> [rveunh.com]
YN -> \{e0aa3b3f-b675-11de-9f8e-002421102ca3} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e0aa3b3f-b675-11de-9f8e-002421102ca3}\shell\open\Command -> 
YN -> \{e0aa3b3f-b675-11de-9f8e-002421102ca3}\shell\open\Command\\"" -> [rveunh.com]
YN -> \{f030be21-f0a1-11df-8154-002421102ca3} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f030be21-f0a1-11df-8154-002421102ca3}\shell\Auto\command -> 
YN -> \{f030be21-f0a1-11df-8154-002421102ca3}\shell\Auto\command\\"" -> [setup.exe]
YN -> \{f030be21-f0a1-11df-8154-002421102ca3} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f030be21-f0a1-11df-8154-002421102ca3}\shell\AutoRun\command -> 
YN -> \{f030be21-f0a1-11df-8154-002421102ca3}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.