PDA

View Full Version : Infected with Windows explorer malware



dalfish
2010-10-30, 19:33
Dear Friends,


I got infected with 177 malware items. I just tried to download opensuse11.3 from mirrorackspace.com. So i cleaned the 170 infections with Spybot. When i run the spybot the items now detected are

MS Office 12.0 (Excel): [SBI $546355D5] Recent Cartel List (1 files) (Registry key, nothing done)

HKEY_USERS\S-1-5-21-1953444363-2538418381-4065474521-1000\Software\Microsoft\Office\12.0\Excel\File MRU



MS Office 12.0 (Word): [SBI $E357B233] Recent Document List (2 files) (Registry key, nothing done)

HKEY_USERS\S-1-5-21-1953444363-2538418381-4065474521-1000\Software\Microsoft\Office\12.0\Word\File MRU



Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources



Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, nothing done)

HKEY_USERS\S-1-5-21-1953444363-2538418381-4065474521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count



Windows Explorer: [SBI $6107D172] User Assistant history files (28 files) (Registry key, nothing done)

HKEY_USERS\S-1-5-21-1953444363-2538418381-4065474521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count



Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)

HKEY_USERS\S-1-5-21-1953444363-2538418381-4065474521-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs



Cache: [SBI $49804B54] Cache (7) (Cache, nothing done)





History: [SBI $49804B54] History (4) (History, nothing done)





Congratulations!: No immediate threats were found. (Status)







--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---



2009-01-26 blindman.exe (1.0.0.8)

2009-01-26 SDFiles.exe (1.6.1.7)

2009-01-26 SDMain.exe (1.0.0.6)

2009-01-26 SDShred.exe (1.0.2.5)

2009-01-26 SDUpdate.exe (1.6.0.12)

2009-01-26 SDWinSec.exe (1.0.0.12)

2009-01-26 SpybotSD.exe (1.6.2.46)

2009-03-05 TeaTimer.exe (1.6.6.32)

2009-10-11 unins000.exe (51.49.0.0)

2009-01-26 Update.exe (1.6.0.7)

2009-09-07 advcheck.dll (1.6.4.18)

2007-04-02 aports.dll (2.1.0.0)

2008-06-14 DelZip179.dll (1.79.11.1)

2009-01-26 SDHelper.dll (1.6.2.14)

2008-06-19 sqlite3.dll

2009-01-26 Tools.dll (2.1.6.10)

2009-01-16 UninsSrv.dll (1.0.0.0)

2010-02-17 Includes\Adware (2).sbi (*)

2010-06-29 Includes\Adware.sbi (*)

2010-03-02 Includes\AdwareC (2).sbi (*)

2010-10-12 Includes\AdwareC.sbi (*)

2010-01-25 Includes\Cookies (2).sbi (*)

2010-08-13 Includes\Cookies.sbi (*)

2009-11-03 Includes\Dialer (2).sbi (*)

2010-09-22 Includes\Dialer.sbi (*)

2010-03-02 Includes\DialerC (2).sbi (*)

2010-10-12 Includes\DialerC.sbi (*)

2010-01-25 Includes\HeavyDuty (2).sbi (*)

2010-01-25 Includes\HeavyDuty.sbi (*)

2009-05-26 Includes\Hijackers (2).sbi (*)

2009-05-26 Includes\Hijackers.sbi (*)

2010-03-02 Includes\HijackersC (2).sbi (*)

2010-10-12 Includes\HijackersC.sbi (*)

2010-09-15 Includes\iPhone.sbi (*)

2010-01-20 Includes\Keyloggers (2).sbi (*)

2010-08-02 Includes\Keyloggers.sbi (*)

2010-03-02 Includes\KeyloggersC (2).sbi (*)

2010-10-12 Includes\KeyloggersC.sbi (*)

2004-11-29 Includes\LSP (2).sbi (*)

2004-11-29 Includes\LSP.sbi (*)

2010-03-02 Includes\Malware (2).sbi (*)

2010-09-13 Includes\Malware.sbi (*)

2010-03-02 Includes\MalwareC (2).sbi (*)

2010-10-19 Includes\MalwareC.sbi (*)

2009-03-25 Includes\PUPS (2).sbi (*)

2010-05-18 Includes\PUPS.sbi (*)

2010-03-02 Includes\PUPSC (2).sbi (*)

2010-10-12 Includes\PUPSC.sbi (*)

2010-01-25 Includes\Revision (2).sbi (*)

2010-01-25 Includes\Revision.sbi (*)

2009-01-13 Includes\Security (2).sbi (*)

2009-01-13 Includes\Security.sbi (*)

2010-03-02 Includes\SecurityC (2).sbi (*)

2010-10-12 Includes\SecurityC.sbi (*)

2008-06-03 Includes\Spybots (2).sbi (*)

2008-06-03 Includes\Spybots.sbi (*)

2008-06-03 Includes\SpybotsC (2).sbi (*)

2008-06-03 Includes\SpybotsC.sbi (*)

2010-03-02 Includes\Spyware (2).sbi (*)

2010-06-29 Includes\Spyware.sbi (*)

2010-03-02 Includes\SpywareC (2).sbi (*)

2010-10-12 Includes\SpywareC.sbi (*)

2009-06-08 Includes\Tracks (2).uti (*)

2010-03-08 Includes\Tracks.uti

2010-03-03 Includes\Trojans (2).sbi (*)

2010-08-04 Includes\Trojans.sbi (*)

2010-03-03 Includes\TrojansC (2).sbi (*)

2010-10-12 Includes\TrojansC-02.sbi (*)

2010-10-12 Includes\TrojansC-03.sbi (*)

2010-10-12 Includes\TrojansC-04.sbi (*)

2010-10-20 Includes\TrojansC-05.sbi (*)

2010-10-12 Includes\TrojansC.sbi (*)

2008-03-04 Plugins\Chai.dll

2008-03-05 Plugins\Fennel.dll

2008-02-26 Plugins\Mate.dll

2007-12-24 Plugins\TCPIPAddress.dll

The windows explorer is not removed rest of all are removed by spybot Spybot asks for a startup scan. i have done that but the items detected wont show up Instead Spybot windows show 3 detected at the bottom left side. Spybot dialog box say it is resident in the memory. How to remove the no 6 item called the windows explorer

Could not get the DDS log as got this message when did so

(new) ERR (3) Freshdownload could not take over the download! Click back button to return to normal mode. Please Help us

Regards

Dalfish

Blade81
2010-11-19, 08:48
Hi,

If help still needed:

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Copy-paste following contents into custom scan -area:
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Blade81
2010-11-26, 08:07
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.