Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

midimap.dll . . . is infected


  • This topic is locked This topic is locked
5 replies to this topic

#1 iztian12

iztian12

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 PM

Posted 28 October 2012 - 05:19 AM

ComboFix 12-10-26.05 - iz12 10/28/2012 16:51:00.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1621 [GMT 1:00]
Running from: c:\documents and settings\iz12\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\winlogon.bak
.
c:\windows\system32\midimap.dll . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-28 )))))))))))))))))))))))))))))))
.
.
2012-10-27 10:12 . 2011-12-12 18:18 135168 ------r- C:\ WINDOWS.exe
2012-10-27 10:12 . 2011-12-12 18:18 135168 ------r- C:\ Program Files.exe
2012-10-27 10:12 . 2011-12-12 18:18 135168 ------r- C:\ Intel.exe
2012-10-27 10:12 . 2011-12-12 18:18 135168 ------r- C:\ Documents and Settings.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-23 15:50 . 2009-12-13 11:34 547328 ----a-w- c:\windows\system32\winlogon.exe
2012-10-11 01:06 . 2012-10-23 09:55 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-12 18:18 135168 --sh--r- c:\windows\Ozczwllqfud.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-12-13 . 1F39C7BDBA4C5F3F01C4EABF7EDBF4B3 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2009-12-13 11:31 . CBC59F466E0A7EC2AF035129BE0B0C6B . 1390080 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[-] 2012-10-23 . D80E832DE18D17CB5727B905FE12ACE2 . 547328 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[-] 2009-12-13 . 58CF7BA5BB7751FCD29F7965608D4200 . 115712 . . [5.4.3790.5512] . . c:\windows\system32\wuauclt.exe
.
[-] 2009-12-13 . 8E520CF839F65BC9F5AFB440F27C7593 . 724992 . . [5.82] . . c:\windows\system32\comctl32.dll
[7] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
[7] 2004-08-04 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
.
[-] 2009-12-13 . A6A3A43227ECB2CAA7B09CD6AE916273 . 6169088 . . [8.00.6001.22945] . . c:\windows\system32\mshtml.dll
.
[-] 2009-12-13 . 1F796B640B01A277B463E51CF0D79E10 . 587264 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
.
[-] 2009-12-13 . 6F2B93167CA0716298DCBE9B1B50D8E2 . 1017856 . . [8.00.6001.22945] . . c:\windows\system32\wininet.dll
.
[-] 2009-12-14 . 2C0205CE309D765EC563F749162036AB . 1558528 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
[-] 2008-04-14 . 18B0915F58A5342AB0F3D01D57261E32 . 267264 . . [5.1.2600.5512] . . c:\windows\regedit.exe
.
[-] 2009-12-13 . BD604DB0B7FF60CCC578DF54C5563E80 . 1312256 . . [5.1.2600.5512] . . c:\windows\system32\ole32.dll
.
[-] 2009-12-13 . B5E8782D4AF1B3756F38E11E7C157BBE . 25088 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
.
[-] 2009-12-13 . A913E1FF4C0BDA15FC542430182EB7B6 . 368640 . . [5.1.2600.5512] . . c:\windows\system32\hnetcfg.dll
.
[-] 2009-12-14 . 9EEDC84F6218A0E2B453BC060859BD9D . 2023424 . . [5.1.2600.5857] . . c:\windows\system32\ntkrnlpa.exe
.
.
[-] 2009-12-13 . 66620EE56B0FFB1B267BD24ECF942A9B . 42496 . . [5.1.2600.5512] . . c:\windows\system32\midimap.dll
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-08-09 3076144]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-12-13 128512]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-03-23 11:34 166424 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-03-23 11:34 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-03-23 11:34 137752 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-03-27 19:22 17567744 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 07:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [8/4/2011 8:20 AM 118104]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/4/2011 8:20 AM 103112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 5:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 10:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [7/11/2012 7:54 PM 116608]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [8/9/2011 8:39 PM 974944]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/27/2012 9:27 AM 399432]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/27/2012 9:27 AM 22856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/23/2012 11:06 AM 136176]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/27/2012 9:27 AM 676936]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [10/23/2012 12:03 PM 250808]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/23/2012 4:59 PM 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/23/2012 11:06 AM 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [10/23/2012 10:55 AM 115168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-12-13 07:50 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-23 11:03]
.
2012-10-27 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2012-10-27 13:24]
.
2012-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-23 10:06]
.
2012-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-23 10:06]
.
2012-10-23 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 2fbab6f9-8234-4860-8cf7-ed0a4c7a62d3.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 124.106.4.2 124.106.7.2
FF - ProfilePath - c:\documents and settings\iz12\Application Data\Mozilla\Firefox\Profiles\49ananl2.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-28 16:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll
.
- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\setupapi.dll
.
Completion time: 2012-10-28 16:59:27
ComboFix-quarantined-files.txt 2012-10-28 15:59
.
Pre-Run: 37,929,472,000 bytes free
Post-Run: 39,039,270,912 bytes free
.
- - End Of File - - 3187A8CBD81613F04B5925EC7F48A207

BC AdBot (Login to Remove)

 


#2 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:07:02 PM

Posted 30 October 2012 - 04:09 PM

Hello iztian and :welcome: on BC.

I will be helping with your computer problems.

Before to start please note the following:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know
  • Do not make any changes on your own to the computer (installing/uninstall programs, deleting files, modifying the registry, running scanners or other tools, etc.) without instructions to do it
  • Please read every post completely and perform all steps in the specified order. If you can't understand something or you encounter problems please stop and let me know
  • Do not attach logs, use code or quote boxes. Just copy and paste the text unless directed otherwise
  • Even if things appear to be better, it does not mean we have finished. Follow the instructions and reply back until I tell you that your computer is clean. At the end I will also provide you further suggestions about how to avoid future infections and improve security on your system
  • Please reply using the Add Reply button in the lower right hand corner of your screen
  • Please track this topic by clicking on the Watch Topic button on the top right on this tread => select Immediate Email Notification => click on Proceed button
As a start you have to follow these steps, describe carefully problems experienced on your machine and post the required logs as described in that topic.:)


Regards

#3 iztian12

iztian12
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 PM

Posted 31 October 2012 - 03:15 AM

Thanks to BLEEPING my pc is now a virus free.. was my pc really infected by virus?? THANKS

Before i ran the COMBOFIX i'd read the topic carefully and i followed the instruction seriously, hehehe
After i ran the CF my system back to normal,, but i know that there's something left so i'd install ESET 5 then i let
the ESET completely clean my system..

I have 3 Hard Drives infected by the same malware or worm? but ESET deleted my suspicious .exe files.
Firstly i wont use ESET because it deletes my infected files that i treasure but after i used CF its now totally clean..

THANKS to your Recommendation.. you've gave a complete and clean answer to my problems

more power to bleepsss...

#4 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:07:02 PM

Posted 01 November 2012 - 07:23 AM

Hello iztian :),

your pc was infected and I suspect it is still.
Furthermore there are some security issues in your computer.
I don't know if malware is present in your other HDDs, but without the required logs I cannot help you.

If you want to proceed, please follow what I wrote in my previous post, otherwise after 3 days without replies this topic will be closed.


Regards

#5 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:07:02 PM

Posted 04 November 2012 - 07:36 AM

Hello iztian,

are you still with us?

After another 2 days without replies this topic will be closed.


Regards

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:02 PM

Posted 08 November 2012 - 05:21 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users