Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware + Multifile Downloader


  • This topic is locked This topic is locked
2 replies to this topic

#1 CovenantSeth

CovenantSeth

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 27 November 2009 - 07:26 PM

Hello. I recently got some malware that was redirecting my google searches to other pages than I clicked on. In addition to that I had "Multi File Downloader" installed onto my computer but it doesnt show up in my programs list

I got a trial of Norton 360 and then removed a single threat and now it is gone. However there is another file that I found in my root folder that I tried to remove and it said It was being used by another program. . . .So I shut all my programs down and it said the same thing. I then when to my processes pannel and didn't see the exe file running. The file is called afbbadf.exe

Let me know if I still have something bad running

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:30 PM, on 11/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\nvsvc32.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
J:\WINDOWS\stsystra.exe
J:\WINDOWS\system32\RUNDLL32.EXE
J:\Program Files\iTunes\iTunesHelper.exe
J:\Program Files\X3watch\x3watch.exe
J:\WINDOWS\system32\ctfmon.exe
J:\Program Files\Sandboxie\SbieCtrl.exe
J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
J:\Program Files\Bonjour\mDNSResponder.exe
J:\Program Files\Digidesign\Drivers\MMERefresh.exe
J:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
J:\Program Files\Sandboxie\SbieSvc.exe
J:\WINDOWS\system32\svchost.exe
J:\Program Files\M-Audio Uno\UnoInst.exe
J:\Program Files\iPod\bin\iPodService.exe
J:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
J:\WINDOWS\system32\wuauclt.exe
J:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
J:\Program Files\FileZilla Server\FileZilla Server.exe
J:\WINDOWS\explorer.exe
J:\Program Files\Windows Media Player\wmplayer.exe
J:\Program Files\uTorrent\uTorrent.exe
J:\WINDOWS\system32\rundll32.exe
J:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts:  
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - J:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - J:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - J:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - J:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [nwiz] J:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE J:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE J:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "J:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "J:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "J:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "J:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [x3watch] J:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] J:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "J:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKCU\..\Run: [ctfmon.exe] J:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "J:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SandboxieControl] "J:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [Multi File Downloader] J:\Program Files\Multi File Downloader\MultiFileDownloader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m4a: J:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www2.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://covenanttraining.webex.com/client/T...nbr/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - J:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O23 - Service: 66afd4366647446ce0e475076ca50d95 (afbbadf) - Unknown owner - J:\WINDOWS\afbbadf.exe
O23 - Service: Apple Mobile Device - Apple Inc. - J:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - J:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - J:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - J:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: Symantec Eraser Service (EraserSvc10922) - Symantec Corporation - J:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - J:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - J:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - J:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - J:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - J:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - J:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - J:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: M-Audio Uno Installer (UnoInstallerService) - Unknown owner - J:\Program Files\M-Audio Uno\UnoInst.exe

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:36 PM

Posted 04 December 2009 - 06:49 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:36 PM

Posted 11 December 2009 - 04:25 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users