Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avira Pop-up: infection with Delphi.gen Trojan


  • This topic is locked This topic is locked
11 replies to this topic

#1 Chuck Q

Chuck Q

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 09 February 2010 - 01:38 PM

My wife is receiving on very regular base Avira pop-ups telling her that an infection with the Delphi.gen Trojan was found on C:\Documents & Settings\...\Local Settings\svchost.exe.

Similar messages that appeared (but less frequent) were:

TR/Dldr.Renos.KF.57 Trojan on C:\WINDOWS\msb.exe
TR/Dldr.Renos.KM.6 Trojan on C:\Documents & Settings\...\Local Settings\Mcr.exe

Underneath and attached the logs as described in the sticky post. Thanks in advance for your support.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Sandy Van Wabeke at 18:09:15,53 on di 09/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.191.36 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Sandy Van Wabeke\guezoox.exe
C:\WINDOWS\msb.exe
C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\msb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\SANDYV~1\LOCALS~1\Temp\Mcr.exe
C:\Documents and Settings\Sandy Van Wabeke\Local Settings\Temporary Internet Files\Content.IE5\O0F70GBY\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.be/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [guezoox] c:\documents and settings\sandy van wabeke\guezoox.exe
uRun: [F5JMWNZTHI] c:\docume~1\sandyv~1\locals~1\temp\Mcr.exe
uRun: [ROUA3O12PW] c:\windows\msb.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\photof~1.lnk - c:\program files\panasonic\photofunstudio -viewer-\PhAutoRun.exe
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} - hxxps://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sandyv~1\applic~1\mozilla\firefox\profiles\q82knlsr.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-9 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-9 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-9 56816]
R3 W33ND;W89C33 mPCI 802.11 Wireless LAN Adapter Driver;c:\windows\system32\drivers\W33ND.SYS [2006-2-21 143904]

=============== Created Last 30 ================

2010-02-09 06:38:02 136192 ----a-w- c:\windows\msb.exe
2010-02-08 19:28:20 528385 ----a-w- c:\documents and settings\sandy van wabeke\iexplore.exe
2010-02-08 18:46:10 136192 ----a-w- c:\windows\msa.exe
2010-02-08 18:45:32 177152 ----a-w- c:\windows\system32\sshnas21.dll
2010-02-08 18:42:05 77824 --sh--r- c:\documents and settings\sandy van wabeke\guezoox.exe
2010-01-28 15:08:05 0 d-----w- c:\windows\system32\appmgmt
2010-01-13 14:14:18 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-21 19:10:30 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-09 15:23:43 87500 ----a-w- c:\windows\system32\perfc013.dat
2009-12-09 15:23:43 502420 ----a-w- c:\windows\system32\perfh013.dat
2009-12-02 18:27:45 294912 ----a-w- c:\windows\HideWin.exe
2009-08-10 19:42:01 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-08-10 19:42:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\mshist012009080320090810\index.dat
2009-08-10 19:42:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\mshist012009081020090811\index.dat

============= FINISH: 18:12:39,71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:59 PM

Posted 10 February 2010 - 08:14 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Place the installer on your desktop. Rename the installer to firefox.exe or winlogon.exe or explorer.exe
Then launch the renamed installer in order to install Malwarebytes.
  • Once Malwarebytes is installed and it won't run, navigate to the Program Files\Malwarebytes' anti-malware folder and locate the mbam.exe file in there. Rename it as well to firefox.exe or winlogon.exe or explorer.exe.
  • Launch the renamed mbam.exe in order to run Malwarebytes.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Do NOT post the log yet, but allow mbam to reboot.
  • After reboot, immediately rescan with malwarebytes, let it perform another scan, select to remove and reboot once again.
  • It's important that these steps are performed immediately after eachother (scan > select to remove > reboot > right after reboot, another scan > select to remove > reboot).
Then when done, post the LATEST malwarebytes log in your next reply. Only post that log AFTER the second reboot.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Chuck Q

Chuck Q
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 13 February 2010 - 05:00 AM

Hi,

Thx for the assistance. Unfortunately enough, the laptop refuses to boot any longer now (well, actually it is more like a boot-loop). I have tried Windows recovery (chkdsk /r and bootfix) without any success...
First I will try to have that cured - if possible off course - and after that I will get back to you with the requested log.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:59 PM

Posted 13 February 2010 - 07:58 AM

Hi,

I'm sorry to hear, but unfortunately this happens frequently on severly infected computers.
You can try a windows repair install. That won't erase any data.
http://michaelstevenstech.com/XPrepairinstall.htm
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Chuck Q

Chuck Q
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 13 February 2010 - 10:27 AM

Thx for the sugestion. I came by the same link this morning and it indeed helped to solve my bootproblem so during the afternoon I was finally able to run the Anti-Malware.

Here's the log after the second clean:

Malwarebytes' Anti-Malware 1.44
Database versie: 3732
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

13/02/2010 16:17:18
mbam-log-2010-02-13 (16-17-18).txt

Scan type: Snelle Scan
Objecten gescand: 110284
Verstreken tijd: 3 hour(s), 12 minute(s), 59 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 5
Registerwaarden ge´nfecteerd: 2
Registerdata bestanden ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 7

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
HKEY_CURRENT_USER\SOFTWARE\F5JMWNZTHI (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registerwaarden ge´nfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f5jmwnzthi (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\roua3o12pw (Trojan.Agent) -> Quarantined and deleted successfully.

Registerdata bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Mappen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden ge´nfecteerd:
C:\Documents and Settings\Sandy Van Wabeke\Local Settings\Temp\sshnas21.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sandy Van Wabeke\iexplore.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sshnas21.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

First impresion is that the nasty Avira pop-ups at the startup are gone. If we're not there yet, we're at least along the road towards victory, or so it seems thumbup2.gif

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:59 PM

Posted 13 February 2010 - 10:31 AM

Hi,

Can you also post a new DDS log please?
By the way, I see you are dutch, dus mag je ook gerust verder in het Nederlands typen hoor :D
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Chuck Q

Chuck Q
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 13 February 2010 - 03:11 PM

Ook handig thumbup.gif


DDS (Ver_09-12-01.01) - NTFSx86
Run by Sandy Van Wabeke at 20:00:59,46 on za 13/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.191.67 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Sandy Van Wabeke\guezoox.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
E:\gUeZoOX.exe
C:\Documents and Settings\Sandy Van Wabeke\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.be/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [guezoox] c:\documents and settings\sandy van wabeke\guezoox.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\photof~1.lnk - c:\program files\panasonic\photofunstudio -viewer-\PhAutoRun.exe
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {CAC677B6-4963-4305-9066-0BD135CD9233} - hxxps://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sandyv~1\applic~1\mozilla\firefox\profiles\q82knlsr.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-9 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-9 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-9 56816]
R3 W33ND;W89C33 mPCI 802.11 Wireless LAN Adapter Driver;c:\windows\system32\drivers\W33ND.SYS [2006-2-21 143904]

=============== Created Last 30 ================

2010-02-13 18:49:37 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-13 18:47:42 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-13 18:47:36 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-13 18:47:35 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-13 18:47:32 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-13 18:47:32 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-02-13 18:47:29 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-02-13 17:18:23 0 d-----w- c:\windows\system32\CatRoot_bak
2010-02-13 17:14:23 272640 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-02-13 16:26:03 0 d-----w- c:\program files\MSXML 6.0
2010-02-13 16:23:17 2140672 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-13 16:23:17 2062080 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-13 16:23:16 2184704 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-13 16:23:14 2020352 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-13 16:18:34 453760 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-13 11:34:07 0 d-----w- c:\docume~1\sandyv~1\applic~1\Malwarebytes
2010-02-13 11:33:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-13 11:33:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-13 11:33:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-13 11:33:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 10:47:11 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2010-02-13 10:45:59 80896 -c--a-w- c:\windows\system32\dllcache\rwia330.dll
2010-02-13 10:44:59 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-02-13 10:43:59 94208 -c--a-w- c:\windows\system32\dllcache\evntwin.exe
2010-02-13 10:42:54 373248 -c--a-w- c:\windows\system32\dllcache\asp51.dll
2010-02-13 10:41:59 20540 -c--a-w- c:\windows\system32\dllcache\admin.dll
2010-02-13 10:39:42 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-02-13 10:39:32 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-02-13 10:39:32 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-02-13 10:39:32 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-02-13 10:39:32 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-02-13 10:39:32 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-02-13 10:39:01 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-02-13 10:38:29 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-02-13 10:38:28 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-02-13 10:38:28 217088 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-02-13 10:38:28 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-02-13 10:26:17 27165 ----a-w- c:\windows\system32\drivers\fetnd5.sys
2010-02-08 18:42:05 77824 --sh--r- c:\documents and settings\sandy van wabeke\guezoox.exe
2010-01-28 15:08:05 0 d-----w- c:\windows\system32\appmgmt

==================== Find3M ====================

2010-02-13 11:05:37 87500 ----a-w- c:\windows\system32\perfc013.dat
2010-02-13 11:05:37 502420 ----a-w- c:\windows\system32\perfh013.dat
2010-02-13 10:36:56 22876 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:36:16 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-21 19:10:30 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 08:00:56 345600 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:37:46 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-02 18:27:45 294912 ----a-w- c:\windows\HideWin.exe
2009-11-27 17:35:53 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:35:53 1295360 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:41:28 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:41:28 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:41:28 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:41:28 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:41:28 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-08-10 19:42:01 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 20:01:49,54 ===============

Attached Files



#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:59 PM

Posted 13 February 2010 - 04:21 PM

Hoi,

* Zorg ervoor dat je verborgen mappen en bestanden weergegeven zijn.
Klik deze instructies om te zien hoe alle verborgen mappen en bestanden weer te geven.

Daarna, blader naar het volgend bestand:

c:\documents and settings\sandy van wabeke\guezoox.exe

Hernoem het bestand naar guezoox.bad

daarna, Ga naar deze pagina.
Plaats de url van deze thread in het eerste veld.
Waar het zegt, "browse to the file that you want to submit", Klik de "blader knop" ernaast en blader naar het hernoemde bestand guezoox.bad
selecteer deze om up te loaden.

Daarna,

Open kladblok en kopieer en plak volgende vetgedrukte erin:
(vergeet REGEDIT4 niet te kopieren en plakken!)

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"guezoox"=-


Sla dit op als fix.reg kies voor opslaan als *alle bestanden en plaats het op je bureaublad.
Zo moet die regfix er nadien uitzien:
Dubbelklik erop.
Bij de vraag of je het wilt toevoegen aan het register, klik je op ja/ok.

Herstart daarna je pc.
Na herstart verwijder het bestand c:\documents and settings\sandy van wabeke\guezoox.bad

Laat me daarna weten hoe alles terug werkt.

Edited by miekiemoes, 13 February 2010 - 04:22 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:59 PM

Posted 16 February 2010 - 09:07 AM

Nog aanwezig?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Chuck Q

Chuck Q
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 23 February 2010 - 12:01 PM

Nog steeds aanwezig thumbup2.gif Ben even uit roulatie geweest.

Eerste indruk was dat het inderdaad opgelost was maar al snel begonnen er terug meldingen te komen van Avira en vandaag is het dan weer finaal misgelopen...


Zeer veel meldingen, we konden het niet bijhouden. Bovendien begonnen er iconen te verschijnen die we van haar of pluim kennen en met de meest gekke namen. Finaal sloeg de laptop weer volledig toe, maw: bij het opstarten zwart scherm en na zÚÚr lang wachten iets in de trend van "kan niet opstarten, fout in het systeem".

Ik ben nu dus weer met de recovery bezig en zal daarna nog eens alle stappen overlopen maar ondertussen wel volgende opmerkingen:

1) De besmetting komt volgens mij overduidelijk vanuit m'n vrouw haar werkplek (school). Ze zitten daar ook met enorme problemen en gezien er regelmatig bestanden tussen deze laptop en de schoolcomputers over en weer reizen middels usb-stick of mail moet je niet ver zoeken naar de bron van besmetting. Toen ik dan dierf opperen voor een volledige quarantaine van schoolbestanden kreeg ik meteen "dan kan ik evengoed stoppen met werken". Daar ben je dan vet mee natuurlijk lmfao.gif

2) Volgens mij is de harddisk in de laptop zelf ook aan z'n laatste uurtjes bezig. Wanneer ik een recovery doe van het systeem met oa. chkdsk dan doet hij er aardig lang over. Bovendien horen en voelen we tegenwoordig een soort "gezoem" vlak voor het toetsenbord, net of hij maar blijft zoeken. Bad sectors, kapotte boot record, etc... het hoort allemaal tot de mogelijkheden maar goed ziet het er sowieso niet uit...

Ik laat nog een seintje als ik er terug aan kan, nu eerst effe busy.gif

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:59 PM

Posted 23 February 2010 - 12:14 PM

Oei,

Dat klinkt idd niet goed... Ik duim alvast...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:59 PM

Posted 10 March 2010 - 11:31 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users