pdxpogo

Problem is fixed! Latest Scan below Thanks! Malwarebytes' Anti-Malware 1.34 Database version: 1783 Windows 6.0.6001 Service Pack 1 2/21/2009 3:28:35 AM mbam-log-2009-02-21 (03-28-35).txt Scan type: Quick Scan Objects scanned: 71175 Time elapsed: 7 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Any status on resolving the following issue: Malwarebytes' Anti-Malware 1.34 Database version: 1760 Windows 6.0.6001 Service Pack 1 2/13/2009 4:59:56 PM mbam-log-2009-02-13 (16-59-56).txt Scan type: Quick Scan Objects scanned: 72328 Time elapsed: 7 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Users\Default\My Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot. [3857535134303627615484708384613770716686778561469001378068867870798584614690014 6868474686147708801528079721577667286] C:\Users\Default\My Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot. [3857535134303627615484708384613770716686778561469001378068867870798584614690014 6868474686155746970801587746991] C:\Users\Default\My Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot. [3857535134303627615484708384613770716686778561469001378068867870798584614690014 9746885868370846166887076841581747691] C:\Users\Default\My Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot. [3857535134303627615484708384613770716686778561469001378068867870798584614690014 9746885868370846184708366781581747691] C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot. [3857535134303627615484708384613770716686778561469001378068867870798584614690014 68684746861469001468684746815868377] C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot. [3857535134303627615484708384613770716686778561469001378068867870798584614690014 97468858683708461469001497468858683708415868377] C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot. [3857535134303627615484708384613770716686778561469001378068867870798584614690015 5746970808461469001557469708015868377]

Thanks so much for the information. I thought I was going crazy. I have however decided to learn more about today's malware. I am being faced with tougher and tougher challenges every day and I am amazed at how far the new tools have advanced. I am used to rooting out these buggers by hand. Keep up the good work! When I'm ready I'd like to help out here.

Recently had to remove a root kit on a clients computer. I used ComboFix with success. I also found out that people were using Malwarebytes product to remove Antivirus 2009 so I downloaded it and ran it on my "clean" laptop imagine my surprise! An infected file was found and removed/quarantined other infected files were marked for removal on reboot these files have persistently stayed put, through several runnings of a MalwareBytes scan (full and quick scans and subsequent suggested reboots) I have run MalwareBytes as Administrator (Vista Premium latest service packs updates etc). I use AVG 8.0 free as antivirus it reports no infections. I run Spybot S&D with tea timer have scaned with Lavasoft AdAware both come up clean. FProt Black light does not report any rootkit detections. Can't really make sense of Sysinternals Rootkit revealer. But Windows Defender reports no rootkit activity detected, The infected files that will not delete are hidden in Junctions and are not visible to the Vista OS Admin users. Searching for the files at the command line doesn't help reveal them either. I haven't tried going after them with a bart PE disk yet. I have no suspicious router activity in the logs I've looked at. I do get an occasional redirected search that makes no sense so I can't see anyone pushing me toward anything it always seems to endup on the Yellow Pages and they do not appear to be related to my original search query. I am sure something is going on here just not sure what. Does any of this sound familiar? Been known to try before I buy software but I try and always check it out in a virtual machine, that isn't to say I might have unleashed something well hidden. Anyway I am prepared to learn humbly from the experts and thanks in advance for any advice. here are my logs: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:52:29 PM, on 1/23/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Launch Manager\LManager.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Trillian\trillian.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe C:\Windows\system32\igfxext.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\7-Zip\7zFM.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Windows\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.myway.com/index.jsp?speedbarconfigchanged R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&a...;m=extensa_5630 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: AutorunsDisabled O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O13 - Gopher Prefix: O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_ind.cab O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 8038 bytes First Run of MalwareBytes: Malwarebytes' Anti-Malware 1.33 Database version: 1685 Windows 6.0.6001 Service Pack 1 1/23/2009 3:32:49 PM mbam-log-2009-01-23 (15-32-49).txt Scan type: Quick Scan Objects scanned: 63071 Time elapsed: 8 minute(s), 2 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Users\Default\My Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot. C:\Users\Default\My Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot. C:\Users\Default\My Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot. C:\Users\Default\My Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot. C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot. C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot. C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot. Reboot done no problems 2nd Run Full Scan: Malwarebytes' Anti-Malware 1.33 Database version: 1685 Windows 6.0.6001 Service Pack 1 1/23/2009 5:48:41 PM mbam-log-2009-01-23 (17-48-41).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 221386 Time elapsed: 2 hour(s), 6 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 8 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Users\philip\AppData\Roaming\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Users\Default\My Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot. C:\Users\Default\My Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot. C:\Users\Default\My Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot. C:\Users\Default\My Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot. C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot. C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot. C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot. Reboot performed again no indication of errors Third run: alwarebytes' Anti-Malware 1.33 Database version: 1685 Windows 6.0.6001 Service Pack 1 1/23/2009 7:13:52 PM mbam-log-2009-01-23 (19-13-52).txt Scan type: Quick Scan Objects scanned: 61058 Time elapsed: 21 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Users\Default\My Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot. C:\Users\Default\My Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot. C:\Users\Default\My Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot. C:\Users\Default\My Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot. C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot. C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot. C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.