Help me clean up win 32 malware-gen. (c:\windows\temp\****\setup.exe)

Viruses and worms
1

I’ve done the first step by MBAM, and here is the log

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6514

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/5/2011 9:55:39 AM
mbam-log-2011-05-05 (09-55-39).txt

Scan type: Quick scan
Objects scanned: 186358
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) → Value: idln2 → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) → Value: bk → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegistryMonitor1 (Trojan.Agent) → Value: RegistryMonitor1 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\RegistryMonitor2 (Malware.Trace) → Value: RegistryMonitor2 → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\Admin\application data\shoppingreport2 (Adware.ShoppingReport2) → Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs (Adware.ShoppingReport2) → Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs\db (Adware.ShoppingReport2) → Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs\dwld (Adware.ShoppingReport2) → Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs\report (Adware.ShoppingReport2) → Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\shoppingreport2\cs\res1 (Adware.ShoppingReport2) → Quarantined and deleted successfully.
c:\program files\resultbar (Adware.ResultBar) → Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\mom and auntie yao\local settings\temp{1bb22d38-a411-4b13-a746-c2a4f4ec7344}\searchguardplus.exe (PUP.Fbsearch) → Quarantined and deleted successfully.
c:\documents and settings\mom and auntie yao\local settings\temp{1bb22d38-a411-4b13-a746-c2a4f4ec7344}\update.exe (PUP.Fbsearch) → Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\temporary internet files\Content.IE5\RMDZ36RR\TFC[1].exe (Trojan.Dropper.PGen) → Quarantined and deleted successfully.
c:\WINDOWS\system32\userinitxx.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\program files\resultbar\resultbar(2).exe (Adware.ResultBar) → Quarantined and deleted successfully.

What should I do next?

2

Actually, it win 32 dropper-gen not malware-gen. sorry for that.

3

Hi. Let’s see if there are any remains…

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:
     1. DDS.txt
     2. Attach.txt

Save both reports to your desktop. Attach DDS.txt back to topic.

4

Thank you a lot! Here they are!

5

Ok. Except a couple of adware you have not active malware on your system.

→ The first thing you need to do is to install the latest version of avast antivirus.
The current version that you may download for free is avast 6.0.1091.

→ Next …
Start >> Control Panel >> Add or Remove Programs

Uninstall:

Fast Browser Search Toolbar
Productivity 2.2 Toolbar:
Conduit Engine:
&Windows Live Toolbar:

→ Next…
Download CCleaner from here:
http://www.piriform.com/ccleaner

Run Registry & Cleaner tool. Also disable your unnecessary startup.
Tools >> Sturtup >> select unnecessery program >> disable

Do not disable these entries:
avast
ctfmon.exe

Disable all but left these if you have the habit to use them all.
MsnMsgr
MSMSGS
uTorrent
skype
USB Antivirus
log me in
FixCamera

Download & Run/use Wise Registry Cleaner & Puran Disc Defragmenter

http://www.wisecleaner.com/wiseregistrycleanerfree.html
http://www.puransoftware.com/Puran-Defrag-Download.html

abaut USB Antivirus.
I recommendet to you to uninstall this softwere and use MCShield for prevent infections via USB-s.

http://amf.mycity.rs/programs/mc/mcshield/index.html

6

I can’t access add & remove program, though other items in control panel is still OK. Moreover, avast shows that it keep blocking redirect to two malicious sites. Plus, I can’t use google chrome. Is my problem really solved?

7

Download aswMBR from here: Click! ( 511KB ) to your desktop.

Double click the aswMBR on the desktop to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

8

Thank you very much. Below is the log

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-05 14:35:14

14:35:14.843 OS Version: Windows 5.1.2600 Service Pack 3
14:35:14.843 Number of processors: 2 586 0x170A
14:35:14.843 ComputerName: DG83K22S UserName: Admin
14:35:15.562 Initialize success
14:35:17.500 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
14:35:17.500 Disk 0 Vendor: WDC_WD16 11.0 Size: 152627MB BusType: 3
14:35:17.515 Disk 0 MBR read successfully
14:35:17.515 Disk 0 MBR scan
14:35:17.531 Disk 0 TDL4@MBR code has been found
14:35:17.531 Disk 0 MBR hidden
14:35:17.531 Disk 0 MBR [TDL4] ROOTKIT
14:35:17.546 Disk 0 trace - called modules:
14:35:17.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89920730]<<
14:35:17.562 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a29c868]
14:35:17.578 3 CLASSPNP.SYS[ba0e8fd7] → nt!IofCallDriver → [0x8a2e9650]
14:35:17.578 \Driver\iaStor[0x8a356298] → IRP_MJ_CREATE → 0x89920730
14:35:17.593 Scan finished successfully
14:35:38.875 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Admin\Desktop\MBR.dat”
14:35:38.890 The log file has been saved successfully to “C:\Documents and Settings\Admin\Desktop\aswMBR.txt”

9

I’ve pushed the button “FixMBR” and the below is the new log. Have the problem been solved?

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-05 14:42:06

14:42:06.140 OS Version: Windows 5.1.2600 Service Pack 3
14:42:06.140 Number of processors: 2 586 0x170A
14:42:06.156 ComputerName: DG83K22S UserName: Admin
14:42:06.875 Initialize success
14:42:08.343 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
14:42:08.343 Disk 0 Vendor: WDC_WD16 11.0 Size: 152627MB BusType: 3
14:42:08.375 Disk 0 MBR read successfully
14:42:08.375 Disk 0 MBR scan
14:42:08.390 Disk 0 unknown MBR code
14:42:08.390 Disk 0 scanning sectors +312576705
14:42:08.437 Disk 0 scanning C:\WINDOWS\system32\drivers
14:42:13.328 Service scanning
14:42:16.046 Disk 0 trace - called modules:
14:42:16.093 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
14:42:16.093 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a5aeab8]
14:42:16.109 3 CLASSPNP.SYS[ba0e8fd7] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x8a5af028]
14:42:16.109 Scan finished successfully
14:42:31.781 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Admin\Desktop\MBR.dat”
14:42:31.796 The log file has been saved successfully to “C:\Documents and Settings\Admin\Desktop\aswMBR1.txt”

10

It “seems” like my comp run normally again. A big hand to both magna 68 and Zyndstoff (aka Steven Gail). Please let me know if I have additional step to finish.

11

Well, as a matter of fact, “FixMBR” was the wrong button…

If this solved problem you’re lucky. If the problem comes back, please come back here again.

It’s always a good idea to wait for instructions when you are using an unknown tool… ;D

Please rerun MBAM (update it via GUI update tab) and have it remove everything it finds.

Cheers
Zyndstoff

12

Hmm, strange that DDS did not show rootkit

13

TDL4 is rather tricky…
http://www.winboard.org/forum/images/smilies/smiley-301.gif

14

Yes, but the DDS would have to recognize it

Moreover, avast shows that it keep blocking redirect to two malicious sites. Plus, I can't use google chrome. Is my problem really solved?

@Zyndstoff (aka Steven Gail)

You knew about this or… 'by heart ;D

15

Obviously, it didn’t…

Nope, but there have been more cases in the last days where some tools did not find anything, the symptoms were blocked URLs even without any browser running…

Besides that, I’m a wizard. ;D

16

I believe it is new variant of TDLs rootkits… :slight_smile:
and it is therefore difficult to our diagnostic tools to identify presence of rootkit.

but again I am surprised that the mbr.exe in DDS did not listed info about TDL and it is in aswMBR. :frowning: