mariewt Posted April 19, 2009 ID:74379 Share Posted April 19, 2009 I Have 4 logs, and will start with the last one. This is the second time it has been found, quarantined and deleted. The first scan found many things that my regular virus program has missed, but it has been disabled evidently, so that may be part of why it is. Advice as to what to do about this Adware thing would be most appreciated. also, could this have been avoided if I had the pro version of malwarebytes? I am thinking of buying it after this, as obviously what I have had is insufficient! thanks! Log from malwarebytes: Malwarebytes' Anti-Malware 1.36Database version: 1999Windows 5.1.2600 Service Pack 32009-04-19 08:44:51mbam-log-2009-04-19 (08-44-51).txtScan type: Full Scan (C:\|)Objects scanned: 272958Time elapsed: 5 hour(s), 50 minute(s), 28 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)log from hijack this Logfile of Trend Micro HijackThis v2.0.2Scan saved at 09:05:31, on 2009-04-19Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsgk32st.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FSMA32.EXEC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\FSGK32.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FSMB32.EXEC:\WINDOWS\system32\PnkBstrB.exeC:\WINDOWS\system32\RioMSC.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FCH32.EXEC:\WINDOWS\system32\Smartscaps.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Telia\Supportassistent\bin\sprtsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FAMEH32.EXEC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsqh.exeC:\Program Files\Telia\Telias sakerhetstjanster\FSAUA\program\fsaua.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exeC:\Program Files\Telia\Telias sakerhetstjanster\FWES\Program\fsdfwd.exeC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fssm32.exeC:\Program Files\Telia\Telias sakerhetstjanster\FSAUA\program\fsus.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsav32.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exeC:\Program Files\Personal\bin\Personal.exeC:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exeC:\Program Files\OpenOffice.org 2.4\program\soffice.exeC:\Program Files\OpenOffice.org 2.4\program\soffice.BINC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Windows Live\Toolbar\wltuser.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://se.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%sR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/se/sve/gen/default.htmR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO1 - Hosts: 82.98.231.89 url.adtrgt.comO1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.netO1 - Hosts: y modified by Norman Malware CleanerO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: (no name) - {8710DF42-3171-4A3B-9079-3F7D7101552B} - C:\Program Files\Applications\iebt.dll (file missing)O2 - BHO: Windows Live inloggningshj Link to post Share on other sites More sharing options...
mariewt Posted April 22, 2009 Author ID:75352 Share Posted April 22, 2009 ran another scan and it did the same thing, found the same thing. Also, my virus program F-Secure keeps telling me it is finding other things. it says that "dangerous codes" were found in C:\WINDOWS\SYSTEM32\mabarili.dll.0mp. and C:\WINDOWS\SYSTEM32\tazofehu.dll.0ir. and C:\WINDOWS\SYSTEM32\zajeyema.dll.0mp. and then it says that it is Trojan.win32.stuh.cvx for all three. it gives me them one at a time, via pop ups that come up while the MBAM is doing its scan. Am on another computer now, so can't copy paste the last MBAM log, but it is basically the s Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 24, 2009 Staff ID:75871 Share Posted April 24, 2009 Hi,Malwarebytes' Anti-Malware 1.36Database version: 1999First of all, please update MalwareBytes, because the databaseversion is outdated.Start MalwareBytes and click the Update tab. There click "Check for updates"In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.Once the updates are downloaded, perform a full scan again.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites More sharing options...
mariewt Posted April 26, 2009 Author ID:76254 Share Posted April 26, 2009 Thanks! The check updates worked fine, I ran the scan and the hijack this and will paste in the logs below. It didn't ask me to reboot. I haven't scanned it again to see if it is back like last time - will await your instructions instead :-) Here is the new MBAM log: Malwarebytes' Anti-Malware 1.36Database version: 2043Windows 5.1.2600 Service Pack 32009-04-26 12:53:21mbam-log-2009-04-26 (12-53-21).txtScan type: Full Scan (C:\|)Objects scanned: 282417Time elapsed: 2 hour(s), 42 minute(s), 31 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 8Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{6f396a67-f473-48c9-9950-636ce17e584e} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{b8c5186e-ec37-4889-9c2e-f73649ffb7bb} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{8710df42-3171-4a3b-9079-3f7d7101552b} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b8c5186e-ec37-4889-9c2e-f73649ffb7bb} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8710df42-3171-4a3b-9079-3f7d7101552b} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c5186e-ec37-4889-9c2e-f73649ffb7bb} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8710df42-3171-4a3b-9079-3f7d7101552b} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{6f396a67-f473-48c9-9950-636ce17e584e} (Trojan.Zlob) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rare (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)and the hijack this log: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:58:23, on 2009-04-26Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsgk32st.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FSMA32.EXEC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\FSGK32.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FSMB32.EXEC:\WINDOWS\system32\PnkBstrB.exeC:\WINDOWS\system32\RioMSC.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\WINDOWS\system32\Smartscaps.exeC:\Program Files\Telia\Supportassistent\bin\sprtsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FCH32.EXEC:\Program Files\Telia\Telias sakerhetstjanster\Common\FAMEH32.EXEC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsqh.exeC:\Program Files\Telia\Telias sakerhetstjanster\FSAUA\program\fsaua.exeC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fssm32.exeC:\Program Files\Telia\Telias sakerhetstjanster\FWES\Program\fsdfwd.exeC:\Program Files\Telia\Telias sakerhetstjanster\FSAUA\program\fsus.exeC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsav32.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FSM32.EXEC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Telia\Telias sakerhetstjanster\FSGUI\fsguidll.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exeC:\Program Files\Personal\bin\Personal.exeC:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exeC:\Program Files\OpenOffice.org 2.4\program\soffice.exeC:\Program Files\OpenOffice.org 2.4\program\soffice.BINC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Telia\Telias sakerhetstjanster\FSGUI\scanwizard.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Windows Live\Toolbar\wltuser.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://se.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%sR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/se/sve/gen/default.htmR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO1 - Hosts: 82.98.231.89 url.adtrgt.comO1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.netO1 - Hosts: y modified by Norman Malware CleanerO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: Windows Live inloggningshj Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 26, 2009 Staff ID:76265 Share Posted April 26, 2009 HI,* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:O1 - Hosts: 82.98.231.89 url.adtrgt.comO1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.netO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)O3 - Toolbar: Little Fighter 2 Toolbar - {C11483F7-D7D8-4804-98D8-6055470BB989} - C:\Program Files\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll (file missing)O3 - Toolbar: (no name) - {EA0D26BD-9029-431A-86E0-83152D67828A} - (no file)O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)O20 - AppInit_DLLs: ,* Click on Fix Checked when finished and exit HijackThis.Make sure your Internet Explorer is closed when you click Fix CheckedReboot and scan again with Malwarebytes and post the new log in your next reply Link to post Share on other sites More sharing options...
mariewt Posted April 26, 2009 Author ID:76303 Share Posted April 26, 2009 It took a bit as I had to do the scan twice as my pc had some sort of memory problem toward the end of the first one. this is the new log: Malwarebytes' Anti-Malware 1.36Database version: 2043Windows 5.1.2600 Service Pack 32009-04-26 19:45:25mbam-log-2009-04-26 (19-45-25).txtScan type: Full Scan (C:\|)Objects scanned: 281997Time elapsed: 2 hour(s), 17 minute(s), 57 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)and the hijack this one: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 19:46:03, on 2009-04-26Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FSM32.EXEC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsgk32st.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FSMA32.EXEC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\FSGK32.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\PnkBstrB.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FSMB32.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\RioMSC.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\WINDOWS\system32\Smartscaps.exeC:\Program Files\Telia\Supportassistent\bin\sprtsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FCH32.EXEC:\Program Files\Personal\bin\Personal.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FAMEH32.EXEC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsqh.exeC:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exeC:\Program Files\Telia\Telias sakerhetstjanster\FSAUA\program\fsaua.exeC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fssm32.exeC:\Program Files\Telia\Telias sakerhetstjanster\FWES\Program\fsdfwd.exeC:\Program Files\OpenOffice.org 2.4\program\soffice.exeC:\Program Files\Telia\Telias sakerhetstjanster\FSAUA\program\fsus.exeC:\Program Files\OpenOffice.org 2.4\program\soffice.BINC:\Program Files\Telia\Telias sakerhetstjanster\FSGUI\fsguidll.exeC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsav32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://se.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%sR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/se/sve/gen/default.htmR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO1 - Hosts: y modified by Norman Malware CleanerO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: Windows Live inloggningshj Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 26, 2009 Staff ID:76305 Share Posted April 26, 2009 one interesting thing as well is that the virus program I have reacted to several things while the scan was going on and kept finding things and saying that the measures taken had failed....what next ?It says failed because malwarebytes already removed the files. So when the other scanners wants to delete them, it fails since the files are already gone.Your log looke OK again. How are things now? Link to post Share on other sites More sharing options...
mariewt Posted April 26, 2009 Author ID:76306 Share Posted April 26, 2009 That makes sense, thanks. Everything seems ok at the moment, but I wonder if it will be back the next time I do the scan? Should I run it again and see what it says? I ask as this is the same file it kept finding before, even after it had qarantined and deleted successfuly according to the logs. If the logs look ok to you now, though, maybe it worked this time and the best thing to do is to buy the version I can download to prevent this sort of thing happening again? I am assuming it will work ok with virus program I have via my internet provider (it is f-secure) ? Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 26, 2009 Staff ID:76308 Share Posted April 26, 2009 Hi,That's just a leftover in the registry though. Not sure why it keeps returning, unless more users/profiles are logged in at the same time, then this may happen (I've seen this before) or your Antivirus is interfering (as you said in your previous post). If it comes back, then rescan again from Windows safe mode.Yes, MalwareBytes is compatible with other Antivirus. Link to post Share on other sites More sharing options...
mariewt Posted April 26, 2009 Author ID:76309 Share Posted April 26, 2009 [Thanks!!! I will do that... can I ask why it makes a difference if you do the scan in safe mode? Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 26, 2009 Staff ID:76312 Share Posted April 26, 2009 can I ask why it makes a difference if you do the scan in safe mode?Then I'm sure that you'll be logged in with only 1 useraccount and no Antivirus and other programs are running in the background that may interfere or block the removal of that key. Link to post Share on other sites More sharing options...
mariewt Posted April 26, 2009 Author ID:76316 Share Posted April 26, 2009 ah! I will do that first then so I know that is gone before I start anything else.... thanks ever so much for all your help!! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 26, 2009 Staff ID:76322 Share Posted April 26, 2009 You're most welcome Link to post Share on other sites More sharing options...
mariewt Posted April 27, 2009 Author ID:76390 Share Posted April 27, 2009 [Hi again! I did a new scan i safe mode and it found more stuff and required a reboot to finish. I restarted but the restart wasn't in safe mode. this is the log of hijack Logfile of Trend Micro HijackThis v2.0.2Scan saved at 04:21:07, on 2009-04-27Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsgk32st.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FSMA32.EXEC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\FSGK32.EXEC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FSMB32.EXEC:\WINDOWS\system32\PnkBstrB.exeC:\WINDOWS\system32\RioMSC.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FCH32.EXEC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\WINDOWS\system32\Smartscaps.exeC:\Program Files\Telia\Supportassistent\bin\sprtsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FAMEH32.EXEC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsqh.exeC:\Program Files\Telia\Telias sakerhetstjanster\FSAUA\program\fsaua.exeC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fssm32.exeC:\Program Files\Telia\Telias sakerhetstjanster\FWES\Program\fsdfwd.exeC:\Program Files\Telia\Telias sakerhetstjanster\FSAUA\program\fsus.exeC:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsav32.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Telia\Telias sakerhetstjanster\Common\FSM32.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\dumprep.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Telia\Telias sakerhetstjanster\FSGUI\fsguidll.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exeC:\Program Files\Personal\bin\Personal.exeC:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exeC:\Program Files\OpenOffice.org 2.4\program\soffice.exeC:\Program Files\OpenOffice.org 2.4\program\soffice.BINC:\Program Files\Skype\Plugin Manager\skypePM.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://se.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%sR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/se/sve/gen/default.htmR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO1 - Hosts: y modified by Norman Malware CleanerO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: Windows Live inloggningshj Link to post Share on other sites More sharing options...
mariewt Posted April 27, 2009 Author ID:76404 Share Posted April 27, 2009 It is still showing in the scan -- Malwarebytes' Anti-Malware 1.36Database version: 2043Windows 5.1.2600 Service Pack 32009-04-27 06:59:20mbam-log-2009-04-27 (06-59-20).txtScan type: Full Scan (C:\|)Objects scanned: 280660Time elapsed: 2 hour(s), 14 minute(s), 15 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)hijack this logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 07:01:17, on 2009-04-27Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: Safe modeRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://se.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%sR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/se/sve/gen/default.htmR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO1 - Hosts: y modified by Norman Malware CleanerO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: Windows Live inloggningshj Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 27, 2009 Staff ID:76408 Share Posted April 27, 2009 Hi,It's normal that the scan would afterwards find files in the System Volume Information folder.Still strange why that 1 entry won't get fixed - could be a permission issue. Anyway, do next please..* Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPost the log from ComboFix in your next reply.Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how. Link to post Share on other sites More sharing options...
mariewt Posted April 27, 2009 Author ID:76642 Share Posted April 27, 2009 well, that was certainly exhilerating. I found myself terrified the whole time.... I am definately out of my comfort zone here! After it showed the log the screen turned a funny red (which it does sometimes) and I had to restart it. Other than it taking an excrutiating amount of time to get started again, it seems pretty normal now. (!)So here is the log, it did seem to find and delete things as it went. I will await further instructions... ComboFix 09-04-27.02 - Lynelle 2009-04-27 22:15.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.429 [GMT 2:00]Running from: c:\documents and settings\Lynelle\Desktop\ComboFix.exeAV: Telia S Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 27, 2009 Staff ID:76647 Share Posted April 27, 2009 Hi,* Please download the Suspicious File Packer from here:http://www.safer-networking.org/files/sfp.zipUnzip it to the desktop and run it.Paste the following bold part into the Suspicious File Packer window:C:\qoobox\quarantine\C\windows\system32\bupufana.dll.virC:\qoobox\quarantine\C\windows\system32\fezahoyu.dll.virC:\qoobox\quarantine\C\windows\system32\fohomugu.exe.virC:\qoobox\quarantine\C\windows\system32\jujofuja.exe.virc:\windows\system32\tevupiru.exeAllow SFP to pack the file. This will generate a CAB archive on your desktop.Go to this page.Enter the url of this thread in the first field.Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.The cab file will be called requested-files[*].cab (the * stands for the date and hour).Then click the Send File button below.Then, * Open hijackthis, click 'config' (bottom right)Choose the tab 'misc Tools' on top.Choose 'delete a file on reboot'In the field, copy and paste next:c:\windows\system32\tevupiru.exeClick open.Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/okYour system should reboot now.Then rescan with Malwarebytes and let me know if it's still detecting it.Strange though, because the files that Combofix found are no way related with 180solutions. It actually doesn't make sense. Link to post Share on other sites More sharing options...
mariewt Posted April 28, 2009 Author ID:76855 Share Posted April 28, 2009 ok, did that.. it is still finding the same thing - here is the logMalwarebytes' Anti-Malware 1.36Database version: 2043Windows 5.1.2600 Service Pack 32009-04-28 20:46:59mbam-log-2009-04-28 (20-46-59).txtScan type: Full Scan (C:\|)Objects scanned: 266168Time elapsed: 2 hour(s), 11 minute(s), 7 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)if it is of interest, the virus program I have came up with a blocked virus Trojan-Downloader.Win32.Zlob.angt under c:\program files\applicationsis this one that is in quarantine? it has found it several times and asked what to do with it while the scan has been going pm and I have just left the pop up open and not told it to do anything. it wants to know if it should be quarantined, cleaned, removed or do nothing... Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 28, 2009 Staff ID:76859 Share Posted April 28, 2009 if it is of interest, the virus program I have came up with a blocked virusTrojan-Downloader.Win32.Zlob.angtunder c:\program files\applicationsYes, let it delete it.For the HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1 (Adware.180Solutions) -> Quarantined and deleted successfully., let's see if it even exists.To find out, do next.. go to start > run and type: cmdHit enterIn the black Window, copy and paste the following..regedit /e peek.txt "HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1" & notepad peek.txtHit enterIf the key is present, then notepad should open with some contents. Copy and paste the contents here.If the key isn't present, you should get a blanco notepad file. Link to post Share on other sites More sharing options...
mariewt Posted April 28, 2009 Author ID:76867 Share Posted April 28, 2009 how interesting. it said it couldn't find the file. why is the scan finding it each time? .....and does that mean I can ignore it, install the "proper" version of mbam and feel safe ?? (safer?) the symptoms it was showing of being infected have gone away, and it doesn't find anything else, but why did the Combofix thing find other stuff? I find myself a bit paranoid.. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 28, 2009 Staff ID:76878 Share Posted April 28, 2009 Those were only inactive leftovers Combofix found.I don't understand why mbam finds that key while it's not even there..Just as a doublecheck, Download the Registry Search Tool from next page:http://www.billsway.com/vbspage/Unzip it and run it. If your antivirus interferes, you have to disable script blocking in the antivirus. Put the following in the search box:lmgr180.wmdrmax.1Let it start the scan. Post the results of the textfile you get in your next reply. Link to post Share on other sites More sharing options...
mariewt Posted April 28, 2009 Author ID:76883 Share Posted April 28, 2009 it didn't give me a text file, only a little pop up that said ---------------------------RegSrch.vbs Link to post Share on other sites More sharing options...
mariewt Posted April 28, 2009 Author ID:76887 Share Posted April 28, 2009 have now registered and have a lovely icon on the bottom of my screen to reassure me if i set the automatic updates at 1 am and my computer isn't on then, I assume it will run them as soon after that as possible? or should I set them for when I will probably be online instead? I really appreciate all of your help with this!!!!!! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted April 28, 2009 Staff ID:76896 Share Posted April 28, 2009 Well, no lmgr180.wmdrmax.1 found. Let's try just one more thing - because it could be a permission issue..Open notepad and copy and paste next present in the quotebox in it:swreg acl "HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1" /resetswreg delete HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1Save this as delete.bat , choose to save as *all files and place it on your desktop. It should look like this: Doubleclick on it.Then run mbam again.If still the same, then just set it to ignore in mbam. Will try to reproduce this how this comes and will contact you via PM afterwards if I could reproduce it.In anyway, really don't worry about it and set it in mbam to ignore. Yes, automatic updates and even scan will run at the time you've set it. Otherwise, if your pc was not on, just rightclick icon and select Update. It's always a good idea to shedule the scan/update when you know your computer is on in most of the cases. * Go to start > run and copy and paste next command in the field:ComboFix /uMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.Glad I could help Link to post Share on other sites More sharing options...
Recommended Posts