Jump to content

Installed malwarebytes but won't run


Recommended Posts

Hi,

The symptons very much sound like the CLB driver infection.

Please use the the following walkthrough to check to see if it is present and atepmt to remove if found.

http://www.malwarebytes.org/forums/index.php?showtopic=12709

If sucessfule please install,update and run MBAM quick scan and post back the log generated and a HiJackThis log.

Thanks in advance.

Link to post
Share on other sites

here is the mbam log:

Malwarebytes' Anti-Malware 1.35

Database version: 1914

Windows 5.1.2600 Service Pack 3

29/03/2009 6:35:46 PM

mbam-log-2009-03-29 (18-35-21).txt

Scan type: Full Scan (C:\|)

Objects scanned: 116019

Time elapsed: 42 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 16

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Zango (Adware.Zango) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\zango (Adware.180Solutions) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\spyware guard (Rogue.SpywareGuard) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER\Local Settings\Temp\TDSSdd18.tmp (Trojan.TDSS) -> No action taken.

C:\WINDOWS\system32\winscenter.exe (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\system32\TDSSarxx.dll (Trojan.TDSS) -> No action taken.

C:\WINDOWS\system32\TDSScfbn.dll (Trojan.TDSS) -> No action taken.

C:\WINDOWS\system32\TDSSoity.dll (Trojan.TDSS) -> No action taken.

C:\WINDOWS\system32\TDSSvoql.dll (Trojan.TDSS) -> No action taken.

C:\Documents and Settings\All Users\Application Data\svhost.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\TDSSlxcp.dll (Trojan.Agent) -> No action taken.

C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\USER\Local Settings\Temp\TDSSdbff.tmp (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> No action taken.

C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> No action taken.

C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> No action taken.

C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> No action taken.

C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Rootkit.Agent) -> No action taken.

here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:25:27 PM, on 29/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Acer\eManager\anbmServ.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Acer\ePM\EPM-DM.exe

C:\PROGRA~1\LAUNCH~1\LManager.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\Program Files\Unwired\UwSCT.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.laptopfactoryoutlet.com.au

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dailytelegraph.com.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.laptopfactoryoutlet.com.au

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.laptopfactoryoutlet.com.au

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.macromedia.com/shockwave/downlo...om/default.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Laptop Factory Outlet

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe

O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot

O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe

O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--

End of file - 8334 bytes

Thanks for your help.

Link to post
Share on other sites

Great you had TDSS variant CLB but now it is RIP :D

Please open HiJackTHis and place a check(tick) next to the following line only.

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

Next select *Fix Checked*

Your HJT log is looking good to go so are you experiencing anymore issue's on your PC or has MBAM got them nailed :D

Link to post
Share on other sites

Haven't had any problems since I got rid of the driver. I think there are still some other files left because I havent used mbam to purge them yet, you told me to post those logs only. Am I right to get mbam to clean out them out? I guess the hard part was getting rid of the driver that was protecting them.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.35

Database version: 1914

Windows 5.1.2600 Service Pack 3

2/04/2009 1:55:02 PM

mbam-log-2009-04-02 (13-55-02).txt

Scan type: Quick Scan

Objects scanned: 77346

Time elapsed: 14 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I don't see any problems here.

Link to post
Share on other sites

Hi when i said MBAM log i ment the one where you say MBAM had deleted your audio driver.

That way i can see if MBAM did hit something it was'nt ment to and if it did advise what to restore from MBAM quarantine.

Thanks in advance.

Link to post
Share on other sites

The list of quarantined files is in the log I posted previously, and I think

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> No action taken.

is the one because it is the only one without TDSS in it.

Link to post
Share on other sites

Hi,

My bad somehow i missed the earliar MBAM log you posted.... well i'm not seeing anything in the log suggesting we removed your audio driver and no is not normal to remove legitimate objects.

Very occaisionally as with all these types of softwares sometimes there are what as known as False Positives where something is wrongly identified.

That said nothing in your MBAM log listing that points to either audio driver or its loading service which seems to suggest that something else is responsible for it going AWOL.

Please can you goto Start then select *Run*.Type in services.msc and then select ok

What is the status of your *Plug and Play* service ?

post-1856-1238962149_thumb.jpg

post-1856-1238962149_thumb.jpg

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.