HELP with DMSetup Trojan & Possibly Remote Storm

[illukka]

ok, could you send me the files for closer examination:

RMAgentOutput.dll
C:\WINDOWS\SYSTEM32\ExMenu.dll
C:\WINDOWS\SYSTEM32\ExPMenu.dll
C:\WINDOWS\SYSTEM32\ExTab.dll
D:\WINDOWS\system32\cmd.ftp


zip them up, then send them as attachment to
illukka AT malware-research.co.uk
remove the spaces from the addy and replace AT with @

i'll take a look at them
put a link to this thread in your message so i know where its from


as for the malware files:
locate and delete these
D:\Documents and Settings\Savina\Desktop\pumpkinpatch01.exe<<--delete this file
D:\Documents and Settings\Savina\Desktop\wcfautumnwoods.exe<<--delete this file
D:\Documents and Settings\Savina\Desktop\wcfgoldenwoods.exe<<--delete this file
D:\Local Disk (F)\WINDOWS2\SYSTEM\Comet<<--delete this folder
D:\WINDOWS\system32\cmd.ftp<<--delete this file


for the malware registry entries mentioned in the mwaw log i suggest running a scan with spybot and adaware
allow spybot to fix reditems, and for adaware allow it to fix all critical items

 

[wordsmith]

Cmd.ftp

okay great, i deleted those files....also, the cmd.ftp file - there's one that's right next to it that's cmd.exe & it says it's "windows command processor" - should i delete that one also or leave it alone?

i'll e-mail those files over to you now...

 

[illukka]

cmd.exe is an important operation system file

edit: no attachment ?

 

[wordsmith]

no attachment

sorry!! i'm re-sending that to you now.

 

[illukka]

i could find anything malicious in them, also sent them to some av analysts, havent heard back..

are there still problems ?

 

[wordsmith]

stuff...

hi,

well, i guess that's comforting...there isn't really anything happening except when i turn off my windows firewall. when i turn that off, i get a barrage of notifications saying that a remote system is trying to access my computer. i've only turned it off a couple of times to follow the steps you've given me...i leave it on all the time otherwise and haven't gotten any alerts recently. i'll run another scan to see what ports are open - but i don't know if that'll help much since i don't know how to close them or what programs are using them in the first place...

hopefully if there is some malware, the windows firewall is blocking the remote controller from being able to make it active...i'll post the .txt file with my port scan here tomorrow (thursday)...thank you again for all of your help!!

 

[tashi]

How is it going wordsmith.

 

[wordsmith]

A-Ok

hi tashi,

i think everything's okay - i haven't gotten any notices...but i'm still a little nervous since i kept getting those notices that someone was trying to access my computer. i guess i'll keep an eye on things and let you guys know if anything new comes up. thank you for the help - it's greatly appreciated!!!

 

[tashi]

Thank you for letting us know wordsmith.

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.