Jump to content

logs of malwarebytes and hijack


tyler

Recommended Posts

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:05:52 AM, on 2/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Bell\Security Manager\Fws.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Personal Vault\VaultClientUpgrade.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe

O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe

O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe

O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe

--

End of file - 2606 bytes

Malwarebytes' Anti-Malware 1.33

Database version: 1730

Windows 5.1.2600 Service Pack 3

2/4/2009 9:04:05 PM

mbam-log-2009-02-04 (21-04-05).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)

Objects scanned: 116200

Time elapsed: 26 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Awaiting further instuction

Link to post
Share on other sites

ok i used combofix here is result

ComboFix 09-02-04.01 - user 2009-02-05 3:49:54.2 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.236 [GMT -5:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated)

AV: Sympatico Security Manager Anti-Virus *On-access scanning disabled* (Updated)

FW: Sympatico Security Manager Firewall *disabled*

.

((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))

.

2009-02-05 03:12 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll

2009-02-04 19:53 . 2009-02-04 19:53 <DIR> d--hs---- C:\FOUND.016

2009-02-04 19:45 . 2009-02-04 19:45 <DIR> d-------- c:\program files\Trend Micro

2009-02-04 19:44 . 2009-02-04 19:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-02-04 05:14 . 2009-02-04 05:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-04 05:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-04 05:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-04 02:29 . 2009-02-04 02:29 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes

2009-02-04 01:29 . 2009-02-04 01:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP

2009-02-03 14:51 . 2009-02-03 14:51 45,568 --------- c:\windows\system32\clickfile.exe

2009-02-01 10:01 . 2009-02-01 10:01 <DIR> d--hs---- c:\windows\system32\twain32

2009-02-01 02:52 . 2009-02-01 02:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard

2009-02-01 02:03 . 2009-02-01 02:03 <DIR> d-------- c:\program files\Windows Installer Clean Up

2009-02-01 02:02 . 2009-02-01 02:03 <DIR> d-------- c:\program files\MSECACHE

2009-02-01 01:44 . 2009-02-01 01:44 <DIR> d-------- c:\program files\Common Files\iS3

2009-02-01 01:43 . 2009-02-01 01:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-02-01 01:20 . 2009-02-01 01:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-31 09:42 . 2007-08-29 16:06 512,000 --a------ c:\windows\system32\HPIPMX.dll

2009-01-31 09:42 . 2007-08-29 16:06 237,568 --a------ c:\windows\system32\HPIPMXRes.dll

2009-01-31 09:42 . 2007-08-29 16:06 163,840 --a------ c:\windows\system32\CP1215LI.DLL

2009-01-31 09:42 . 2007-08-29 16:06 143,360 --a------ c:\windows\system32\CP1215LM.DLL

2009-01-31 09:42 . 2007-08-29 16:06 114,688 --a------ c:\windows\system32\HPMCoSetup.dll

2009-01-31 09:42 . 2007-08-29 16:06 106,496 --a------ c:\windows\system32\ZSPOOL.DLL

2009-01-31 09:42 . 2007-08-29 16:06 61,440 --a------ c:\windows\system32\ZIMF.DLL

2009-01-31 09:42 . 2008-02-11 15:26 57,344 --a------ c:\windows\system32\CP1215EWS.dll

2009-01-31 09:42 . 2007-08-29 16:06 53,248 --a------ c:\windows\system32\ZTAG.DLL

2009-01-31 09:38 . 2009-01-31 09:38 <DIR> d-------- c:\program files\Hewlett-Packard

2009-01-31 09:17 . 2009-01-31 09:17 <DIR> d-------- c:\documents and settings\user\Application Data\Hewlett-Packard

2009-01-31 06:02 . 2009-02-05 03:53 1,104 --a------ c:\windows\yogodjvv

2009-01-25 17:24 . 2009-01-25 17:24 <DIR> d-------- c:\documents and settings\user\tyler2

2009-01-24 14:51 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll

2009-01-24 14:49 . 2009-01-24 14:49 <DIR> d-------- c:\windows\Logs

2009-01-24 14:49 . 2009-01-24 14:49 302,928 --a------ C:\dxwebsetup.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-31 21:39 90,112 ----a-w c:\windows\DUMP46cd.tmp

2009-01-31 21:07 90,112 ----a-w c:\windows\DUMP562e.tmp

2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-11-27 16:14 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-11-27 16:14 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-11-27 16:14 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-11-27 16:14 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-11-27 16:14 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2008-09-15 08:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091520080916\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=

"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R2 VaultClientUpgrade;Personal Vault Upgrade Service;c:\program files\Personal Vault\VaultClientUpgrade.exe [2008-03-07 53248]

S0 yogodjvv;yogodjvv;c:\windows\system32\drivers\ojmpkcyu.sys []

S3 Radialpoint Security Services;Sympatico Security Manager;c:\program files\Bell\Security Manager\RpsSecurityAware.exe [2008-03-10 67824]

S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys --> c:\windows\system32\XDva143.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c047c248-1f9e-11dd-929f-00016c2deccd}]

\Shell\AutoRun\command - I:\start.exe

.

Contents of the 'Scheduled Tasks' folder

2005-12-23 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-06-18 17:17]

2009-02-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-02-04 c:\windows\Tasks\Registry OK Schedule.job

- c:\program files\Registry OK\RegistryOK.exe []

2009-02-05 c:\windows\Tasks\HP WEP.job

- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 14:28]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\5nquye0b.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-05 03:54:28

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)

c:\program files\CA\PPRT\bin\CACheck.dll

c:\program files\CA\PPRT\bin\CAHook.dll

c:\program files\CA\PPRT\bin\CAServer.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\BELL\SECURITY MANAGER\FWS.EXE

c:\windows\SYSTEM32\LEXBCES.EXE

c:\windows\SYSTEM32\LEXPPS.EXE

c:\program files\COMMON FILES\AUTHENTIUM\ANTIVIRUS\DVPAPI.EXE

c:\program files\CA\PPRT\BIN\ITMRTSVC.EXE

c:\windows\SYSTEM32\WDFMGR.EXE

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-02-05 3:56:09 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-05 08:56:08

ComboFix2.txt 2009-02-05 08:13:38

Pre-Run: 46,057,455,616 bytes free

Post-Run: 46,036,287,488 bytes free

155 --- E O F --- 2009-01-19 08:04:27

p.s. i could not find out how to turn off some avirl antivir, and i ran hyjack this after and i got the same files as before with some new ones for pop ups i need assistance bad please help me.

Link to post
Share on other sites

  • Root Admin

Sorry for the delay, please try to be patient as there are many others requesting assistance too and there are only so many of us to help you.

STEP 1 Remove unwanted Anti-Virus

The logs show that you have multiple Anti-Virus products installed. You can only have 1 installed.

Avira AntiVir PersonalEdition

Sympatico Security Manager Anti-Virus

Please choose one and FULLY remove the other one. You should do that NOW.

STEP 2

I would recommend removing Registry OK cleaning the Registry can often cause more harm than good.

STEP 3

I would recommend using NTFS for the file system instead of FAT32x86 but we can take care of that later if you want to.

STEP 4

Click on START - RUN and copy/paste the contents of the CODE box into the run line and click OK

It will blink a window very quickly and that's it, it's done.

REG DELETE HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{c047c248-1f9e-11dd-929f-00016c2deccd} /F

STEP 5

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
yogodjvv
XDva143


File::
c:\windows\Tasks\Registry OK Schedule.job
c:\windows\system32\drivers\ojmpkcyu.sys
c:\windows\system32\XDva143.sys
c:\windows\system32\clickfile.exe
c:\windows\system32\HPIPMX.dll
c:\windows\system32\HPIPMXRes.dll
c:\windows\system32\CP1215LI.DLL
c:\windows\system32\CP1215LM.DLL
c:\windows\system32\HPMCoSetup.dll
c:\windows\system32\ZSPOOL.DLL
c:\windows\system32\ZIMF.DLL
c:\windows\system32\CP1215EWS.dll
c:\windows\system32\ZTAG.DLL
c:\windows\yogodjvv
c:\windows\DUMP46cd.tmp
c:\windows\DUMP562e.tmp

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

STEP 6

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 7

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.33

Database version: 1732

Windows 5.1.2600 Service Pack 3

2/5/2009 5:24:00 PM

mbam-log-2009-02-05 (17-24-00).txt

Scan type: Quick Scan

Objects scanned: 59001

Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\yogodjvv (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\ojmpkcyu.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:29:01 PM, on 2/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Bell\Security Manager\Fws.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Personal Vault\VaultClientUpgrade.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe

O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe

O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe

O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe

--

End of file - 3244 bytes

Link to post
Share on other sites

i have now ran full malwarebytes and another hyjack this scan heres results

Malwarebytes' Anti-Malware 1.33

Database version: 1732

Windows 5.1.2600 Service Pack 3

2/5/2009 6:16:49 PM

mbam-log-2009-02-05 (18-16-49).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)

Objects scanned: 116480

Time elapsed: 23 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{2F508D62-B983-4B32-B17D-9B046440F78F}\RP1101\A0124202.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

oh crap lost hyjack one put it hase the hkey windows cfmon still and one that resembles the malwarebyets 2 invected files before. O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe is one of them its back on there.

Link to post
Share on other sites

ok i did run scrip as shown and i lost combofix by accident. I just ran again using the same instructions heres results.

and thanks for helping.

ComboFix 09-02-05.02 - user 2009-02-06 3:02:39.5 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.320 [GMT -5:00]

Running from: c:\documents and settings\user\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\user\Desktop\CFscript.txt

AV: Sympatico Security Manager Anti-Virus *On-access scanning disabled* (Updated)

FW: Sympatico Security Manager Firewall *disabled*

* Created a new restore point

FILE ::

c:\windows\DUMP46cd.tmp

c:\windows\DUMP562e.tmp

c:\windows\system32\clickfile.exe

c:\windows\system32\CP1215EWS.dll

c:\windows\system32\CP1215LI.DLL

c:\windows\system32\CP1215LM.DLL

c:\windows\system32\drivers\ojmpkcyu.sys

c:\windows\system32\HPIPMX.dll

c:\windows\system32\HPIPMXRes.dll

c:\windows\system32\HPMCoSetup.dll

c:\windows\system32\XDva143.sys

c:\windows\system32\ZIMF.DLL

c:\windows\system32\ZSPOOL.DLL

c:\windows\system32\ZTAG.DLL

c:\windows\Tasks\Registry OK Schedule.job

c:\windows\yogodjvv

.

((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))

.

2009-02-05 17:13 . 2009-02-05 17:13 <DIR> d-------- c:\program files\Yahoo!

2009-02-05 17:13 . 2009-02-05 17:13 <DIR> d-------- c:\program files\CCleaner

2009-02-05 16:52 . 2009-02-05 17:07 3,171,208 --a------ c:\program files\ccsetup216.exe

2009-02-05 16:48 . 2009-02-05 16:48 <DIR> d-------- c:\documents and settings\user\Application Data\Yahoo!

2009-02-05 04:59 . 2009-02-05 04:59 25,085,704 --a------ c:\program files\antivir_workstation_winu_en_h.exe

2009-02-05 03:12 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll

2009-02-04 19:53 . 2009-02-04 19:53 <DIR> d--hs---- C:\FOUND.016

2009-02-04 19:45 . 2009-02-04 19:45 <DIR> d-------- c:\program files\Trend Micro

2009-02-04 05:14 . 2009-02-04 05:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-04 05:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-04 05:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-04 02:29 . 2009-02-04 02:29 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes

2009-02-04 01:29 . 2009-02-04 01:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP

2009-02-01 10:01 . 2009-02-01 10:01 <DIR> d--hs---- c:\windows\system32\twain32

2009-02-01 02:52 . 2009-02-01 02:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard

2009-02-01 02:03 . 2009-02-01 02:03 <DIR> d-------- c:\program files\Windows Installer Clean Up

2009-02-01 02:02 . 2009-02-01 02:03 <DIR> d-------- c:\program files\MSECACHE

2009-02-01 01:44 . 2009-02-01 01:44 <DIR> d-------- c:\program files\Common Files\iS3

2009-02-01 01:43 . 2009-02-01 01:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-02-01 01:20 . 2009-02-01 01:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-31 09:38 . 2009-01-31 09:38 <DIR> d-------- c:\program files\Hewlett-Packard

2009-01-31 09:17 . 2009-01-31 09:17 <DIR> d-------- c:\documents and settings\user\Application Data\Hewlett-Packard

2009-01-25 17:24 . 2009-01-25 17:24 <DIR> d-------- c:\documents and settings\user\tyler2

2009-01-24 14:51 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll

2009-01-24 14:49 . 2009-01-24 14:49 <DIR> d-------- c:\windows\Logs

2009-01-24 14:49 . 2009-01-24 14:49 302,928 --a------ C:\dxwebsetup.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-11-27 16:14 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-11-27 16:14 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-11-27 16:14 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-11-27 16:14 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-11-27 16:14 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2008-09-15 08:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091520080916\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-15 185784]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=

"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R2 VaultClientUpgrade;Personal Vault Upgrade Service;c:\program files\Personal Vault\VaultClientUpgrade.exe [2008-03-07 53248]

S3 Radialpoint Security Services;Sympatico Security Manager;c:\program files\Bell\Security Manager\RpsSecurityAware.exe [2008-03-10 67824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2005-12-23 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-06-18 17:17]

2009-02-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-02-06 c:\windows\Tasks\HP WEP.job

- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 14:28]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\5nquye0b.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-06 03:07:53

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)

c:\program files\CA\PPRT\bin\CACheck.dll

c:\program files\CA\PPRT\bin\CAHook.dll

c:\program files\CA\PPRT\bin\CAServer.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\BELL\SECURITY MANAGER\FWS.EXE

c:\windows\SYSTEM32\LEXBCES.EXE

c:\windows\SYSTEM32\LEXPPS.EXE

c:\program files\COMMON FILES\AUTHENTIUM\ANTIVIRUS\DVPAPI.EXE

c:\program files\CA\PPRT\BIN\ITMRTSVC.EXE

c:\windows\SYSTEM32\WDFMGR.EXE

c:\windows\SYSTEM32\WSCNTFY.EXE

.

**************************************************************************

.

Completion time: 2009-02-06 3:09:30 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-06 08:09:28

ComboFix4.txt 2009-02-05 08:56:12

ComboFix3.txt 2009-02-05 21:44:58

ComboFix5.txt 2009-02-06 08:01:44

ComboFix2.txt 2009-02-06 05:51:32

Pre-Run: 45,899,415,552 bytes free

Post-Run: 45,887,455,232 bytes free

165 --- E O F --- 2009-01-19 08:04:27

Link to post
Share on other sites

  • Root Admin

STEP 1

  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
  • Reboot your computer after it runs
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
  • Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.

STEP 2

Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

STEP 3

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.33

Database version: 1733

Windows 5.1.2600 Service Pack 3

2/6/2009 4:08:45 AM

mbam-log-2009-02-06 (04-08-45).txt

Scan type: Quick Scan

Objects scanned: 59893

Time elapsed: 2 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:11:11 AM, on 2/6/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Bell\Security Manager\Fws.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Personal Vault\VaultClientUpgrade.exe

C:\WINDOWS\system32\imapi.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\WgaTray.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe

O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe

O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe

O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe

--

End of file - 2767 bytes

Link to post
Share on other sites

  • Root Admin

Can you explain why there are so few entries running for the system?

Normally HJT should be showing many more entries unless either someone has followed advice from sites like Black Viper or there is potentially Rootkit infection that is blocking HJT from seeing all the entries.

Please try renaming C:\Program Files\Trend Micro\HijackThis\HijackThis.exe to Tyler.exe

Then double click and run it and scan and post back a new log.

Link to post
Share on other sites

first i cant explain and i followed advise and heres the new hjt.

im not a computer wis but im followinf all instuctions.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:23:47 AM, on 2/6/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Bell\Security Manager\Fws.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Personal Vault\VaultClientUpgrade.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\tyler.exl.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe

O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe

O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe

O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe

--

End of file - 2241 bytes

Link to post
Share on other sites

  • Root Admin

Okay, no problem but something is wrong here.

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Link to post
Share on other sites

  • Root Admin

Okay I think you're going to need access to downloading this and burning it to a CD to clean up your system.

Please download this, place a blank CD in your burner and double-click on the downloaded file. It will automatically burn the CD for you.

At the bottom left should be 2 flags. If you use your mouse and click on the British flag the interface should switch to English for you.

Have it scan ALL files. There is no way that I'm aware of to save a log, so you may need to write down any special errors or infections found and their outcome.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

    Avira AntiVir Rescue System
    Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:


  • repair a damaged system,
  • rescue data,

  • scan the system for virus infections.


    Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
    The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Rescue CD screen resolution problem

Please see the post here if you're unable to view the entire screen of Avira.

Link to post
Share on other sites

ok i ran program and here is log

cheching master boot record of drive 128

129

error (2): cannot read record

auto excluding /sys/ from scans ( is a special fs)

auto excluding /proc from scans ( is a special fs)

chking /mt/then some bell security archive stuff comes up

warning: archive not completely scaned: content encrypted

/mnt/hda1/docume~1/user/desktop/combofix.exe

ALERT:[APPL/PsExec] /mnt/hda1/docume~1/user/desktop/combofix.exe -- arrow 32788r22fwjfw (it the backward) /psexec.cfexe

next there are zsnes files a bunch so i wont put all just an expl

/mnt/hda1/docume~1/guest/desktop/zsnesw~1.exe all say in brackets (unknown or supported compression method). and same for snes9x.exe

Warning :archive not completley scanned: format unsupported

archive: /mnt/hda1/program~1/common~1/scannerppcleaner --arrow vete.dll extract error

then same with inocboot.exe extract error

warning:archive not completly scanned:process error

mnt/hda1/progra~1/bitlord/downlo~1/thelor~1.bc --arrow unknown extract error

about 20 of these bitlord ones

achive: /mnt/hda1/system~1/_resto~1/rp1041/a0119296.exe license.txt extract error (unkown or unsupported compression methods) gens.exe, gens.hlp, gens.txt,history.txt, kailleraclient all extract errors with same bracket discription. and not completely scanded.

Alert[adspy/softomate.K.8.] /mnt/hda/system~1/resto~1/rp10042/a0119565.dll

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012642.dll

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012643.dll

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012644.dll

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012645.dll

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012646.exe

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012647.dll

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012649.dll

Alert[adspy/zango.c] /mnt/hda/system~1/resto~1/rp1089/a012650.exe

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012651.dll

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012652.exe

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012653.dll

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012654.exe

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012656.dll

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012657.exe

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012658.dll

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012659.dll

Alert[adspy/adspy.Gen] /mnt/hda/system~1/resto~1/rp1089/a012660.dll

Alert[TR/Crypt.XPACK.Gen]/mnt/hda1/system~1/_resto~1/rp1098/a0123644.exe

Alert[TR/Crypt.XPACK.Gen]/mnt/hda1/system~1/_resto~1/rp1098/a0123645.exe

Alert[TR/Crypt.XPACK.Gen]/mnt/hda1/system~1/_resto~1/rp1098/a0123646.exe

Alert[APPL/PsExec.E] /mnt/hda1/system~1/_resto~1/rp1098/a0123663.exe

Alert[APPL/Psexec.e] /mnt/hda1/system~1/_resto~1/rp1098/a0123738.exe

Alert[APPL/psexec.e] /mnt/hda1/system~1/_resto~1/rp1098/a0123786.exe --arrow 32788r22fwjfw/psexec.cfexe

Aler[Appl/psexec.e] /mnt/hda1/system~1/_resto~1/rp1101/a0124025.exe same as above line

Alert[TR/dldr.injector.cbs] /mnt/hda1/system~1/_resto~1/rp1101/a0124035.exe

Alert[APPL/PsExec.E] /mnt/hda1/system~1/_resto~1/rp1101/a0124076.exe

Alert[APPL/PsExec.E] /mnt/hda1/system~1/_resto~1/rp1102/a0124205.exe --arrow 32788r22fwjfw/psexec.cfexe

Alert[APPL/PsExec.E] /mnt/hda1/system~1/_resto~1/rp1102/a0124242.exe

Alert[Adspy/180solutions.AM.1]/mnt/hda1/system~1/_resto~1/rp1083/a0121546

Alert[TR/Crypt.Xpack.Gen]/mnt/hda1/goobox/quaran~1/c/windows/system32/998exe~1.vir

Alert[TR/Crypt.Xpack.Gen]/mnt/hda1/goobox/quaran~1/c/windows/system32/userin~1.vir

Alert[TR/Crypt.Xpack.Gen]/mnt/hda1/goobox/quaran~1/c/windows/system32/clickf~1.vir

Alert[html/Rce.Gen]/mnt/hda1/found.015/file0257.chk

thats it for scan i still have it up on my computer if you need more.

and shoud i try to repair programs in this scanner by clicking try repair folder icon.

thanks again

Link to post
Share on other sites

  • Root Admin

No, actually all of those files it found were already either in the Combofix holding area or the System Restore area for Windows which means none of them were a threat anymore to your system.

I was hoping it would find and fix more.

Go ahead and start the computer back up again and try to run and update MBAM and post that log again.

Also please try to describe what issues you're seeing or experiencing.

Link to post
Share on other sites

My system is running ok. Before I did the stuff yesterday my system was rebooting itself by closing down windows, no it seems the system might be running a bit slower but everything seems good. so you know i got this virus from antivirus 2008 if that helps.

Malwarebytes' Anti-Malware 1.33

Database version: 1736

Windows 5.1.2600 Service Pack 3

2/6/2009 8:16:33 PM

mbam-log-2009-02-06 (20-16-33).txt

Scan type: Quick Scan

Objects scanned: 60932

Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:17:15 PM, on 2/6/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Bell\Security Manager\Fws.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Personal Vault\VaultClientUpgrade.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\tyler.exl.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe

O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe

O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe

O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe

--

End of file - 2274 bytes

Link to post
Share on other sites

  • Root Admin

Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP 1

Uninstall ComboFix.exe

  • Click
    START
    then
    RUN
  • Now type
    Combofix /u
    (if you renamed Combofix.exe use that name instead)
    in the runbox and click OK. Note the
    space
    between the
    X
    and the
    /U
    , it needs to be there.

  • CF_Cleanup.png


  • When shown the disclaimer, Select "2"

Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe

STEP 2

Uninstall GMER

Click on
START - RUN
and type in or copy/paste
%windir%\gmer_uninstall.cmd
to remove GMER.

STEP 3

Uninstall other tools

Please
Download
OTMoveIt3
by Old Timer
and save it to your
Desktop
.
  • Double-click
    OTMoveIt3.exe
    to run it.
  • While connected to the Internet, Click on the green
    CleanUp!
    button and it will populate a list of items to clean from your system that we used or may have used.

  • It should ask if you want to clean up, select Yes and allow the system to clean up these items.

    NOW
    please reboot your computer to finish the cleanup process

When that is done then download this. Then after it's downloaded you should be able to disconnect from the Internet and disable your Anti-Virus before running it.

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
Link to post
Share on other sites

ok heres my latest highjack this and the other program showed no viruses. ps im not sure if step 2 worked corectly because, on the black screen it showed a few files and then said access dinide.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:35:24 AM, on 2/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Bell\Security Manager\Fws.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Personal Vault\VaultClientUpgrade.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\tyler.exl.exe

C:\WINDOWS\System32\svchost.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Sympatico Security Manager (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\RpsSecurityAware.exe

O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe

O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe

O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - BELL - C:\Program Files\Personal Vault\VaultClientUpgrade.exe

--

End of file - 2355 bytes

Link to post
Share on other sites

  • Root Admin

Please click on START - RUN and type in MSCONFIG and make sure it's set to NORMAL and reboot if needed.

Let me know if it was in NORMAL mode or a Selective or Diagnostic mode.

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.