Jump to content

Malware bytes can't remove this virus


Recommended Posts

I'm new, and not sure exactly everything I need, though I did read the thread. I have a problem. I downloaded a bad program and got the virus crssc.exe. It downloaded a bunch of other trojans and whatnot, but I think I may have gotten rid of it. The problem is, it changed something in sys32. I tried a system restore and it was still there. I've ran malware bytes, avg, and spyhunter. They each caught different things, but there is 4 left that cannot be deleted. I'm running 32-bit xp. I can't download programs because I have no connection to teh internet. My campus locked my port because I have a virus (it connected to the internet to download other viruses and I guess they saw it on the network). I unfortunately do not have Hijackthis, but I do have a malware bytes log. I hope it helps. I'd download it but I can't get an internet connection and ahve to go somewhere else to get a connection. I had a process svschost.exe which I deleted, and an svnshost, which I also deleted. I disabled reader_sl.exe which also helped. Malware bytes keeps finding 4 dll viruses and says it needs to reboot to delete them, but it doesn't delete them after reboot.Also, when I start my computer, I get a message saying "To help protect your computer, windows has closed this program-data executable prevent Generic Host process for win 32 service." I have my malware bytes log which I'll post, I'm sorry if it's not the right thing, don't flame me too hard.

Malwarebytes' Anti-Malware 1.32

Database version: 1616

Windows 5.1.2600 Service Pack 2

2/5/2009 8:23:17 PM

mbam-log-2009-02-05 (20-23-13).txt

Scan type: Quick Scan

Objects scanned: 26474

Time elapsed: 3 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati5flxx (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati5flxx (Rootkit.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati5flxx (Rootkit.Agent) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\ati5flxx.sys (Rootkit.Agent) -> No action taken.

Thank you in advance, and I again apologize if I'm doing this wrong.

Link to post
Share on other sites

  • Root Admin

The logs show you didn't tell MBAM to fix it.

You need to tell MBAM to fix it.

Ignore the update for now, but run it as such. But I doubt it will be able to clean you up.

You need to get the newer version 1.33 and the latest definition files. Maybe see if one of your friends can download it and burn to a CD for you to install.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.32

Database version: 1616

Windows 5.1.2600 Service Pack 2

2/6/2009 5:41:58 PM

mbam-log-2009-02-06 (17-41-58).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 205691

Time elapsed: 2 hour(s), 4 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ati5flxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ati5flxx (Rootkit.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati5flxx (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1059\A0098656.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1107\A0146673.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1107\A0147678.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1107\A0151684.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP983\A0074952.dll (Adware.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\ati5flxx.sys (Rootkit.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:05:08 PM, on 2/6/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\arservice.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\lxdccoms.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ARPWRMSG.EXE

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\Program Files\DISC\DISCover.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\TEMP\xdz8.tmp

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Vidalia Bundle\Tor\tor.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\ALCXMNTR.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\Last.fm\LastFMHelper.exe

C:\Program Files\Ventrilo\Ventrilo.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.trymedia.com (HKLM)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - {92edb09c-5edb-4980-8ea7-9480a26a7ff3} - C:\WINDOWS\system32\iehlpr32.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: vzqzgw - C:\WINDOWS\SYSTEM32\vzqzgw.dll

O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe

O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe

O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--

End of file - 13885 bytes

Link to post
Share on other sites

  • Root Admin

Hi Shane,

Please do me a favor and re-read what I've posted. You MUST get the update if you want to fix this. Please check with a friend on Campus and burn a CD of the NEWER stuff.

1. You did not update MBAM as requested

2. You were asked to use a Quick Scan not a Full Scan

Please update MBAM, then do a quick scan, FIX anything found then post a new HJT log

Then post back both NEW LOGS.

Thanks

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.